<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
x5c and CA Certs for JWT Access Token
Jun 5, 2025
SDKs & Libraries
Okta Identity Engine
Overview

X5C and CA Certificate are not supported. Okta does not use a x509 certificate to sign keys, the x5c claim will not be available from the /keys endpoint. 

Applies To
  • OAuth/OpenID Connect application
  • JWT validation
Cause

Okta does not return the optional 'x5c' header at the keys endpoint as we do not currently support signing tokens with an x.509 certificate but will instead return information about how the token was signed using RS-256. The claims that are expected to be received back from the keys endpoint can be seen here.

Solution

Most libraries are able to validate tokens without this claim as it is dependent on the OAuth implementation whether or not this claim is being used, as the x5c claim is listed as optional in the RFC.

There are, however, a few third-party tools to help convert between crytographic formats using the e (exponent) and n (modulus) claims to build the public keys. Example: lokey.

Recommended content

Still looking for help?
Loading
x5c and CA Certs for JWT Access Token