This article explains why a 403 Permission Denied error occurs when attempting to add a new JSON Web Key (JWK) via the API using OAuth tokens. This error is returned when performing a POST request to the https://<OktaDomainName>/api/v1/apps/<appId>/credentials/jwks endpoint:

You do not have permissions to perform the requested action

• Okta Management API
• OAuth 2.0
• JSON Web Key (JWK)

The issue occurs because the client application attempts to use a bearer token issued to authorize an action that grants new privileges to itself or other apps. This pattern, known as a self-authorization loop, is currently not supported by the system as a security measure.

The operation can be performed from the Admin Console as described in the article below.

• Generate the JWK using the Admin Console