Okta JWT Issuer & Claims
Verify Okta JWTs. Okta's issuer, JWKS URL, RS256 signing, and the uid, cid, scope claims explained with validation rules for access and ID tokens.
Okta issues JWTs for OAuth 2.0 and OpenID Connect. Access tokens and ID tokens are both JWTs signed with RS256. The issuer is your Okta domain: https://YOUR_DOMAIN.okta.com (or https://YOUR_DOMAIN.okta.com/oauth2/default for the default authorization server). Okta publishes its JWKS at /oauth2/default/v1/keys.
Issuer details
| Property | Okta |
|---|---|
| Issuer (iss) | https://YOUR_DOMAIN.okta.com |
| JWKS URL | https://YOUR_DOMAIN.okta.com/oauth2/default/v1/keys |
| OIDC discovery | https://YOUR_DOMAIN.okta.com/.well-known/openid-configuration |
| Signing algorithm | RS256 (default) |
Issuer-specific claims
Claims you will encounter in Okta JWTs and what they mean for this issuer:
Claim Meaning for this issuer isshttps://YOUR_DOMAIN.okta.com/oauth2/default: your Okta authorization server issuer. Validate against your exact authorization server URL. subThe user's Okta user ID. Stable within the Okta org. uidOkta user ID: present in access tokens. Equivalent to sub for user tokens. cidClient ID: the Okta client the token was issued to. Validate cid when your API accepts tokens from specific clients only. audYour API's audience identifier (configured in the Okta authorization server). Validate aud on every request. scopeSpace-separated scopes granted to the token. Check for scope-based authorization. auth_timeUnix timestamp of when the user authenticated. Use for re-authentication policies (force re-auth if auth_time is older than N minutes).
Verifying tokens from this issuer
Fetch public keys from https://YOUR_DOMAIN.okta.com/oauth2/default/v1/keys. Hardcode algorithms: ['RS256']. Validate iss against your authorization server URL and aud against your API's audience. Okta rotates keys on a schedule configured per authorization server: use a caching JWKS client.
Frequently asked questions
-
What is the Okta JWT issuer URL?
The iss claim is your Okta authorization server URL: https://YOUR_DOMAIN.okta.com/oauth2/default for the default authorization server, or a custom authorization server URL like https://YOUR_DOMAIN.okta.com/oauth2/{authServerId}. Validate iss against your exact authorization server. The JWKS endpoint is https://YOUR_DOMAIN.okta.com/oauth2/default/v1/keys and signs with RS256.
-
Does Okta use RS256 or HS256?
Okta uses RS256 by default for both access tokens and ID tokens. Public keys are published at the authorization server's JWKS endpoint. Hardcode algorithms: ['RS256'] in your verification calls and fetch the public key from the JWKS: never hardcode the key itself, as Okta rotates keys on a configurable schedule.
-
What is the cid claim in Okta JWTs?
cid is the client ID: the Okta OAuth 2.0 client the token was issued to. Validate cid when your API accepts tokens from specific clients only (e.g. your single-page app's client ID but not your CLI tool's). Without cid validation, any Okta client with access to your API's audience can mint tokens your API accepts.
Related