Actions - How to sign JWT with RS256?

I’m using a post-login action redirect and attempting to send a session_token as a query param to the redirect URL. With HS, you could use api.redirect.encodeToken while passing in a secret, but what is the equivalent for RS?

When using RS for signatures, it seems that Auth0 handles the private key and signs tokens. If I omit the secret option for api.redirect.encodeToken, I get an error in the browser saying: access_denied (secret must be a string or bufferor a KeyObject).

How can I sign and send a session_token along with my redirect during the action flow?

Hi @k.lee,

Thanks for reaching out to the Auth0 Community!

I understand that you would like to change the signing algorithm for your JWT Web Token.

It seems like you may need to change your signing algorithm on your Application settings from HS256 to RS256. To do so, I recommend checking that your Application settings have set the JSON Web Token (JWT) Signature Algorithm to RS256 under the Advanced Settings at the bottom of the page. Please do not forget to save your changes.

Moreover, if you are making a login request with an API as the audience, I suggest checking that your Signing Algorithm is configured to RS256.

Then once this is complete, your application is configured to sign the JSON web token with the RS256 algorithm.

Please let me know how this goes for you.

Thank you.

Thanks for the response!

My application is already configured to use RS256 signing algorithm. My issue was using api.redirect.encodeToken when my application is set to use RS256 - however, it seems that this method uses HS256 by default.

Everything works on my end now! Originally, it was unclear whether I had to use an RS256 signing algorithm for this api method.

1 Like