When using a JWT (JSON Web Token) client assertion for authentication against the /token endpoint, Okta may return an invalid_client error as follows:

invalid_client

The client_assertion JWT kid is invalid.

{
  "error": "invalid_client",
  "error_description": "The client_assertion JWT kid is invalid."
}

• OpenID Connect
• OAuth 2.0
• AI Agents
• Okta Identity Engine (OIE)

The kid (key ID) specified in the client assertion JWT header does not match any keys registered for the client or AI agent in Okta.

This error occurs when any of the following are true while calling the /token endpoint:

• The kid is missing from the JWT header.
• The kid does not match the key ID of the registered public key.
• The client or AI agent has not been properly configured with a public key.

1. Verify kid in JWT header: Ensure the kid is present in the JWT header by decoding it with jwt.io.
2. Check registered keys: In the Okta Admin Console, navigate to the client or AI agent configuration and verify the public key.
   • For AI Agents: Verify the keys by navigating to AI Agents > select the specific agent, and viewing Credentials. 

• • For OIDC client applications: Verify public keys by navigating to Applications > Applications > select the OIDC application, and scrolling down to Public Keys.

Related References

• OAuth 2.0 Token Exchange (RFC 8693)
• JWT Bearer Grant (RFC 7523)
• Creating a Private Key JWT when a Client Has Multiple Public/Private Key Pairs