--- title: Authentication Methods in ZITADEL sidebar_label: Authentication Methods --- ## Client Secret Basic When using `client_secret_basic` on token or introspection endpoints, provide an`Authorization` header with a Basic auth value in the following form: ```markdown Authorization: "Basic " + base64( formUrlEncode(client_id) + ":" + formUrlEncode(client_secret) ) ``` Given the client_id `78366401571920522@amce` and client_secret `veryweaksecret!`, this would result in the following `Authorization` header: `Basic NzgzNjY0MDE1NzE5MjA1MjIlNDBhbWNlOnZlcnl3ZWFrc2VjcmV0JTIx` ## JWT with Private Key When using `private_key_jwt` (`urn:ietf:params:oauth:client-assertion-type:jwt-bearer`) for token or introspection endpoints, provide a JWT as assertion generated with the following structure and signed with a downloaded key: --- Key JSON | Key | Example | Description | |:---------|:--------------------------------------------------------------------|:-------------------------------------------------------------------------------| | type | `"application"` | The type of account, right now only application is valid | | keyId | `"81693565968962154"` | This is unique ID of the key | | key | `"-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----"` | The private key generated by ZITADEL, this can not be regenerated! | | clientId | `78366401571920522@acme` | The client_id of the application, this is the same as the subject from tokens | | appId | `78366403256846242` | The id of the application (just for completeness, not used for JWT) | ```JSON { "type": "application", "keyId": "81693565968962154", "key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----", "clientId": "78366401571920522@acme", "appId": "78366403256846242" } ``` --- JWT | Claim | Example | Description | |:------|:---------------------------|:----------------------------------------------------------------------------------------------------------------| | aud | `"https://$CUSTOM-DOMAIN"` | String or Array of intended audiences MUST include ZITADEL's issuing domain | | exp | `1605183582` | Unix timestamp of the expiry | | iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h | | iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file | | sub | `"78366401571920522@acme"` | The subject ID of the application, normally the `clientID` from the json key file | ```JSON { "iss": "78366401571920522@acme", "sub": "78366401571920522@acme", "aud": "https://$CUSTOM-DOMAIN", "exp": 1605183582, "iat": 1605179982 } ``` > To identify your key, it is necessary that you provide a JWT with a `kid` header claim representing your keyId from the Key JSON: > > ```json > { > "alg": "RS256", > "kid": "81693565968962154" > } > ```