How to get token with jku claim

Hi there,

I’m using Auth0 to generate API tokens, but I haven’t find a way to have the jku claim provided in the generated token. The header does contain the kid claim, but no jku claim. I’d expect to have the jku pointing to https://YOUR_DOMAIN/.well-known/jwks.json

Does anyone know how to do this, is there a settings that I missed?


Hi @david.rouchet,

Welcome to the Auth0 Community!

Unfortunately, the jku claim is not part of the standard claims from what I’ve found.

In this case, you have the option and appending the jku claim with the https://YOUR_DOMAIN/.well-known/jwks.json value using either an Auth0 Rule or Action.

Once you’ve done so, your tokens will include the jku claim.

Please let me know how this works for you.

Thank you.

Hi @rueben.tiow

Thanks for your feedback. I’ve indeed thought of that option, but not very familiar with either Rule or Actions. I actually gave it a try but not succeeded, do you have some guidelines to provide to do so, especially to alter the header section of the token?

Thank you

Hi @david.rouchet,

Sure, let me explain further.

In this case, I recommend using a Post-Login Action to append custom claims to the Token. Head over to your Auth0 Dashboard > Actions > Flows > Login and click on the plus symbol (+) to create a new custom Action. In that script, use the code below.

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/jku`, "https://YOUR_DOMAIN/.well-known/jwks.json");
    api.accessToken.setCustomClaim(`${namespace}/jku`, "https://YOUR_DOMAIN/.well-known/jwks.json");

Please don’t forget to Deploy the Action and attach the Action to the flow. You will need to drag the Action into your Post-Login Flow, and press Apply.

Once that is done, the jku claim will be in both the access token and ID token.

Please let me know if there’s anything else I can do to help.


Hi @rueben.tiow

many thanks for these guide lines. I’m actually using a client credential flow, so I created an action into the Machine-to-Machine flow. According to the logs, the action is being executed (no errors) when calling the ‘/oauth/token’ endpoint to get the token, but the token doesn’t contain any new claim.

The action code is as follow:

exports.onExecuteCredentialsExchange = async (event, api) => {
  const namespace = '';
  const jkuValue = namespace + "/.well-known/jwks.json";
  const jkuName = namespace + "/jku";

  let res = api.accessToken.setCustomClaim( jkuName, jkuValue );
  console.log( `value added to token as jku: ${jkuName}:${jkuValue}`)
  console.log( `ops result: ${JSON.stringify(res)}`)

any idea?


1 Like

Hi @david.rouchet,

Thank you for your response!

I forgot to mention that you should use any non Auth0 HTTP or HTTPS URL as the namespace identifier. Auth0 domains cannot be used as namespace identifiers, which includes:

I recommend that you modify your namespace to one that qualifies, and you’ll be able to see it in the claims.

Thank you.

Hi @rueben.tiow

so, thanks for the last tip, it works now. However, it seems that claims without a url schema in the name (ex: myclaim) are not supported, is this correct?

Also, is there a way to add claims in the header of the token?

Thank you

Hi @david.rouchet,

Thank you for your response, and I’m happy that it works now!

That’s correct. Custom claims must be appended with a somewhat arbitrary namespace.

Unfortunately, no, this is not possible.

Please let me know if you have any further questions.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.