<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Creating a Private Key JWT when a Client Has Multiple Public/Private Key Pairs
Jan 16, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

This article discusses creating a private key JWT when a client has multiple public/private key pairs.

When a client has multiple public/private key pairs, the following error will occur if a key ID is not included in the JWK header:

 

{"error":"invalid_client","error_description":"The client_assertion JWT kid is invalid."}

 

 

Applies To
  • OAuth
  • Okta API 
Solution
To avoid this error, ensure that the keyID (kid) parameter found on the public key is present in the JWK header:
 
header
 
 

Recommended content

Still looking for help?
Loading
Creating a Private Key JWT when a Client Has Multiple Public/Private Key Pairs