> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure JWT-secured Authorization Requests (JAR) for an application.

# Configure JWT-secured Authorization Requests (JAR)

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
</Callout>

<Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip>-Secured Authorization Requests (JAR) allow OAuth2 authorization request parameters to be packaged into a single JWT request parameter which is then signed for integrity protection.

## Prerequisites

Before configuring your application for using JAR, you must [generate an RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair).

<Warning>
  You should generate a separate key pair for each type of credential usage. For example, do not reuse the same key pairs for both JAR and Private Key JWT Authentication.
</Warning>

## Configure JAR for an application

You can configure JAR for an application with the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> and the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Tabs>
  <Tab title="Auth0 Dashboard">
    Use the Auth0 Dashboard to configure your application to use JAR with previously generated RSA keys.

    1. Navigate to [Auth0 Dashboard > Applications](https://manage.auth0.com/#/applications).
    2. Select the application you want to use with JAR.
    3. Select the **Application Settings** tab.
    4. In the **Authorization Requests** section, enable **Require JWT-Secured Authorization Requests**.
    5. If no credential is assigned and there are credentials available, you will be prompted to assign an existing credential.

           <Frame>
             <img src="https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=273d605dff0fb50c21a1368dd8167c2f" alt="Dashboard > Application > Settings > Assign Existing Credentials" data-og-width="792" width="792" data-og-height="688" height="688" data-path="images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=280&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=59c9e47364e9bf961f21a26279a34dba 280w, https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=560&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=493e8a98c7fd844a4b477ae7ccfe0779 560w, https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=840&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=bfb36a14de0e206abf129d4ce32f255b 840w, https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=1100&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=0e91cbd0c8b7dbc877daa56e01cc8577 1100w, https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=1650&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=316ba261f4df691ea75b3b4b41dd3b06 1650w, https://mintcdn.com/docs-staging-quickstart-revamp/cn1eMmAiJHX3hF4T/images/cdy7uua7fh8z/HQHhFWTtdfNa5TnZ1dwx6/e47068cc9e85c538f80476162f4314a3/Existing_Creds_-_English.png?w=2500&fit=max&auto=format&n=cn1eMmAiJHX3hF4T&q=85&s=6ccf6b7bbe43c1edb5fde2c8dee3f139 2500w" />
           </Frame>
    6. You will also have the option to assign a new credential.

           <Frame>
             <img src="https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=0c5c4a607667d1c022f1b164c5522b1f" alt="Auth0 Dashboard > Applications > Settings > Assign New Credentials" data-og-width="702" width="702" data-og-height="366" height="366" data-path="images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=280&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=08260f9e01ac6e20326883906357fdd5 280w, https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=560&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=2addbd0fbd88b6abb4117a9cb4b5f7cf 560w, https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=840&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=31746e5be2ecfa7787a5fe6f0cefef90 840w, https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=1100&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=0b14c792fc8b394e2c714a3453f2ecdb 1100w, https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=1650&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=fae55a187faf5d807f43537282dcbc7a 1650w, https://mintcdn.com/docs-staging-quickstart-revamp/KCEsvkqT5-VRQ297/images/cdy7uua7fh8z/7JfsCBwytWO6Q7hUvdtSwJ/b85fd39fea7330a31496f51347767ae7/New_Creds_-_EN.png?w=2500&fit=max&auto=format&n=KCEsvkqT5-VRQ297&q=85&s=b2c9b59619e07429829dc745757fdfee 2500w" />
           </Frame>
    7. Add and assign a new credential by uploading a previously generated RSA key pair. When prompted, enter the following:

       * **Name**: a name to identify the credential
       * **Public Key**: public key of the X.509 certificate in PEM format
       * **Algorithm**: select the JAR signature algorithm
       * **Expiration Date**: set the expiration date of the credential
  </Tab>

  <Tab title="Management API">
    Use the [Management API](https://auth0.com/docs/api/management/v2) to configure JAR for your application using the `signed_request_object` client configuration property. This object property contains the following fields:

    * `required`: forces all authorization requests to the `/authorize` and `/oauth/par` to use JAR. To learn more, read [Authorization Code Flow with JWT-Secured Authorization Requests](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar) and [Authorization Code Flow with PAR and JAR](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par-and-jar).
    * `credentials`: an array of credential IDs used to verify signatures.

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      The credentials parameter behaves similarly to the Private Key JWT parameter `client_authentication_methods.private_key_jwt.credentials` which supports credential creation when you create a new application. To learn more, read [Configure Private Key JWT](/docs/get-started/applications/configure-private-key-jwt).
    </Callout>

    You can configure JAR for a new application or for an existing application via the Management API.

    #### Configure JAR for a new application

    When you create a new application, configure JAR by sending a POST request with the `signed_request_object`. In that POST request, you can also register the corresponding client credential (i.e. the key PEM):

    ```json lines
    POST https://{yourTenant}.auth0.com/api/v2/clients
    Authorization: Bearer [YOUR ACCESS TOKEN]
    Content-Type: application/json
    {
      "name": "My App using JAR",
      "signed_request_object": {
          "required": true,
    "credentials": [{
            "name": "My credential for JAR",
            "credential_type": "public_key",
            "pem": "[YOUR PEM FILE CONTENT]",
            "alg": "RS256"
    }]
      },
      "jwt_configuration": {
        "alg": "RS256"
      }
    }
    ```

    #### Configure JAR for an existing application

    When updating an existing application, you need to explicitly create a client credential first. The following POST request uses your PEM file content to create your client credentials for JAR:

    {/* codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet */}

    ```json lines
    POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
    Authorization: Bearer [YOUR ACCESS TOKEN]
    Content-Type: application/json
    {
      "name": "My credentials for JAR",
      "credential_type": "public_key",
      "pem": "[YOUR PEM FILE CONTENT]",
      "alg": "RS256"
    }
    ```

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      Make sure newlines are properly JSON-encoded with no additional formatting.
    </Callout>

    Then, assign the client credential to the `signed_request_object` client configuration. The following PATCH request associates your client credentials with the `signed_request_object`:

    {/* codeblockOld.header.login.logInButton codeblockOld.header.login.configureSnippet */}

    ```json lines
    PATCH https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}
    Authorization: Bearer [YOUR ACCESS TOKEN]
    Content-Type: application/json
    {
      "signed_request_object": {
        "credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
      }
    }
    ```
  </Tab>
</Tabs>

## Learn more

* [Authorization Code Flow with JWT-Secured Authorization Requests (JAR)](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-jar)
* [Authorization Code Flow with PAR and JAR](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par-and-jar)
