I'm having issues trying to verify my token for PDS FHIR

Hi Community!
We had the following question raised via email:

I’m trying to connect to https://int.api.service.nhs.uk/oauth2/token to get an authorisation token to then connect to the PDS API.
Token for use in Personal Demographics Service - FHIR API
Using the integration environment
Full request:
grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyAiYWxnIjogIlJTNTEyIiwgInR5cCI6ICJKV1QiLCAia2lkIjogInRlc3QtMiIgfQ.eyAiaXNzIjogInYySzlhQUNvUTh1M3prcDE2Z3lmbzBzM2hBNVJwU3dwIiwgInN1YiI6ICJ2Mks5YUFDb1E4dTN6a3AxNmd5Zm8wczNoQTVScFN3cCIsICJhdWQiOiAgImh0dHBzOi8vaW50LmFwaS5zZXJ2aWNlLm5ocy51ay9vYXV0aDIvdG9rZW4iLCAianRpIjogIjYzZTRjZWZhLTE3NDQtNDRhMS1hMWU1LTU2YjYzNmM2ZjY2NyIsICJleHAiOiAxNjc1OTM5ODY4IH0.lXCYkEwjpqNkvO5ADV76XhtfPks2_k1lwOG4BDFX3cgCg7TPUebQ6IF9PO1QDytQtcIxIxOKkCeSxdOVFWAKqah5EjOWDED8gt_d4MFQgLDUv2XW0h47zHRZFNbF4j0zp8qVG2hx3y693k0T3rtE-KeuqmKAtCDR-fwCV_85wcUnk24HasQRMrtlp7bBfeRWL3fT3FHcDudbMd-5O6Oj9eSh5wvxuBlsAWmqchnAf9sAdf-UtKXHn-LVJdhG8T3DmgtVukgjHP2cCVSJ7Epm00VHMrEh7HR6JtyJPnfPUnFwW4KdNP8D4yBPncydX3h7MNufI41SEEuDTnpL4DxlwUufqPAW-oEVZ4Ui4O7HbC9cUC-kAKBnR064Jxu5CSI5rb5igoVRzmWE2OCRmcMexThV6Vsg8Hcf6oEJdem07730h50mW5lewPbY_oU9VCY1qDHeMzNswV5WMxr8Yg2iFY4sAuREMGD37fqwkzc5ClHkfGT0aSj2riZcgL19Fpn9FRpMG3KGZychBoLIrcBtzFjwlhejNRkjs-7z4A4WLixX3N-uJnimEEpQqUXZGn-TV6PCqbFt-55d6HNSFeaXFMq6PEIntKSnyXUCn9BMkTWMd7m9X6ZbFdMaKddIRanfWMU2m1O_xwEmdKrZZuCVmuX0zstc2iporb4FrS8WDv0
Full response:

•       {*
  

•       "error": "public_key error",*
  

•       "error_description": "JWT signature verification failed",*
  

•       "message_id": "rrt-2988346794993847258-b-geu2-24713-96323-1"*
  

•       }*
  

I have been able to verify my signature on jwt.io website with the public key I uploaded and you host for me.
Can you explain why my signature cant be verified on your end?
Thanks in advance.

Our support team has advised:
You need to check your private/public keys match and are valid.
It tends to be that their jwks url is a valid jwks url, has a kid that matches but the public/private key don’t match.
They should check their set up. Are they using the right private key that matches the ones on their url?

Hi Haroon, I had similar problems but understandable its hard to debug these on both sides when things go wrong.
Some things to check:
Are you signing with the right algorithm? sha512 not sha256
Is your signature a string “encodedHeader.encodedPayload” not encodedHeader.encodedPayload
Can you verify on jwt.io using only your public key?
Best of luck, I got it working recently after some trial and error my side.
James

Thanks for the taking the time to provide your insight James, that’s very helpful!

Hello, I have a same issue right now.

Can you please let me know how to check private and public key unmatching ? I created the keys by using jwt.io and following the instruction step 3,4.

Hi sorry again, It worked after correcting a few minor mistakes.