Access token kid

I need to add the kid in the generated access token. I have an API I need to access and I want to use the access token that I obtained after authentication. The API needs the kid to select the correct secret to verify the access token. I have seen the kid in the id token but it seems that its not encouraged to send the id token to the API.

Hello @vanjoe,

Welcome to the Community! I believe you can get the kid for any Auth0 tenant at the tenants .well-known/jwks.json URL. For example, my own tenant: https://iamatwork.auth0.com/.well-known/jwks.json

Thanks for the reply @markd. Anyway you can share some settings that will force the kid to be included in the header of the access token that I get after authentication? I always only get this in the header:

{
“alg”: “HS256”,
“typ”: “JWT”
}

I’m not aware of any settings like that, but you could write a Rule to get the kid from the .well-known endpoint and include it in your tokens.

Looks like you can also use the https://auth0.com/docs/api/management/v2/#!/Keys/get_signing_keys endpoint of the Management API.

Hi @vanjoe,

The ‘kid’ claim is an optional header claim, used to specify the key for validating the signature when using RS256 as your signing algorithm.

‘kid’ is not present as you are using HS256 as your signing algorithm. This means the same key will be used to generate the signature and subsequently validate it - this key must be kept confidential and only shared by parties that need it for validating a JWT.

If you are using RS256, ‘kid’ is included in the header so that the corresponding public key for the private key used to generate the signature can be identified from the list of public keys available in the JWKS endpoint. This is particularly useful during key rotation.

More information is at:

Thanks for the reply. As I had also surmised that my access token would never contain a kid due to the algo used I opted to find another way on how to determine which secret to use on my API. I had to stick to HS256.