Getting "error": "invalid_assertion" in Token Endpoint OIDC api call

Hi @reshamchugani @Anusha_sunkadh

I am trying to obtain a token using end point

After successfully authenticating using the UI, I generated the assertion token based on the requirement in the end point, but then I make the call, I am getting the invalid assertion error.
So in my jwt, which section is missing? below is the sample JWT generated with its details

“alg”: “HS256”,
“typ”: “JWT”

“iss”: “XaOVhjFTX_H8UiZf-O1TuV4ChixshdO8RqghtA_cRUM”,
“sub”: “XaOVhjFTX_H8UiZf-O1TuV4ChixshdO8RqghtA_cRUM”,
“aud”: “”,
“exp”: 1712917120,
“iat”: 1712913520

verify signature

base64UrlEncode(header) + “.” +



full jwt token is below.


Hi @James_Simbi_Mjuweni ,

Based on the JWT shared, all the claim values seem correct. The only reason it could fail is that the private key used to sign the assertion might not be the right one.

Use the same private key corresponding to the public key shared during ODIC client onboarding.

Alright, let me try that

@Anusha_sunkadh @reshamchugani. is it possible to share a sample assertion. I just wanted to see how the properties are signed and available in that token

I signed the token but I am still getting the same error
{error: ‘invalid_assertion’, error_description: ‘invalid_assertion’}

Dear James,

We have duly noted your issue and kindly request for your patience as we work to address your inquiry.

Your query is important to us, and we will provide a response shortly.

Thank you for your understanding and patience.

Best regards,

Hi James,

please find the sample client assertion below

Also one more point James, registered public key is for “RS256” algorithm but why is the client assertion signed with “HS256” ?


Thank you @Anusha_sunkadh
I will try changing the algorithm.

But I am seeing new fields on your jwt, “nbf”: 1713245536 and “jti”: “_gKXrlMgPvTOUN5oz4vYJ”

Which ones are these because the documentation doesn’t indicate them. What are they?

And maybe a question, it is possible to change the certificates after an account has already been created?


only “sub”, “aud”, “iss”, “exp”, “iat” claims are required in client assertion. “nbf” and “jti” is optional.

you can raise a request to update or create a new OIDC client with the new public key.

Let me generate a new certificate so that I should remove the possibility of the certificate being the reason why the call is failing

Are there any updates here @James_Simbi_Mjuweni

No ma’am, thanks. it worked. All I want now was to update the return url test it online

Sure we will update it James.