<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
JWE Token Encryption Behavior In OIDC Applications
Oct 17, 2025
Okta Identity Engine
API Access Management
Overview

This article describes the behavior of JSON Web Encryption (JWE) tokens for OpenID Connect (OIDC) applications. The encryption behavior for access and ID tokens differs depending on whether an Org Authorization Server or a Custom Authorization Server is used.

Applies To
  • OpenID Connect (OIDC)
  • JSON Web Encryption (JWE)
  • Authorization Servers
  • Okta Identity Engine (OIE)
Solution

The token encryption behavior is determined by the type of Authorization Server in use.

  • Org Authorization Server

    • The access token is not encrypted.

    • The ID token is encrypted.

  • Custom Authorization Server

    • The access token is encrypted using the keys configured on the Authorization Server.

    • The ID token is encrypted only if the application requesting token encryption is enabled. The ID token is encrypted using the keys configured in the application.

NOTE: Introspect, Revoke, and UserInfo endpoints do not work with encrypted access tokens.

 

Related Articles

Recommended content

Still looking for help?
Loading
JWE Token Encryption Behavior In OIDC Applications