Invalid 'iss'/'sub' claims in client_assertion JWT

API Platform
1

Application ID 46b9ee81-5164-4af6-8371-9d716830188f
kid test-1

{
“iss”: “RtUM17kYJP68sqqjVAcJ4x1NFI0yStAG”,
“sub”: “RtUM17kYJP68sqqjVAcJ4x1NFI0yStAG”,
“aud”: “https://api.service.nhs.uk/oauth2/token”,
“exp”: 1760010148,
“iat”: 1760009848,
“jti”: “9dc78d5b-62fd-47d9-9eac-1e4e01d32220”
}

{
“grant_type”: “client_credentials”,
“client_assertion_type”: “urn:ietf:params:oauth:client-assertion-type:jwt-bearer”,
“client_assertion”: “eyJhbGciOiJSUzUxMiIsImtpZCI6InRlc3QtMSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJSdFVNMTdrWUpQNjhzcXFqVkFjSjR4MU5GSTB5U3RBRyIsInN1YiI6IlJ0VU0xN2tZSlA2OHNxcWpWQWNKNHgxTkZJMHlTdEFHIiwiYXVkIjoiaHR0cHM6Ly9hcGkuc2VydmljZS5uaHMudWsvb2F1dGgyL3Rva2VuIiwiZXhwIjoxNzYwMDEwMTQ4LCJpYXQiOjE3NjAwMDk4NDgsImp0aSI6IjlkYzc4ZDViLTYyZmQtNDdkOS05ZWFjLTFlNGUwMWQzMjIyMCJ9.0iNJ7cwAbxxflAKg80DOSioXN2yhCAH03_K01P8KVma1c4P8H9DePNfTduENd7L0nMqoXVJD1dih_4geBXez1IQdvma9SR3aA9t84QftyUM0TChv5nL1mXIScZBEnqxDFFlq2vmw5cvJurpDhMyhasiBj54HHy5G_lqF2Zc-1IxXCXcxDPbkYCeIc52dSWNuKMqJABRS7ZDivYdsi7l2ORCfMevF_TKA0hUDr1nCsHJrIE5pPDeneo-GypNMW-ck3RPZt2IT_l_PtV89LvQwbTW5gcc5Or68MQ3CydeDlhfBIVdW91km5vry9QSh1SD0d15HIOEEOjPlEwyXE6r3RB1sjH931atAmAAk3W0wDwEnRsYxosNhW8UouEO20SFFmDpltKY0FMcef3Gnd9EkTMLFPONQ98cXLgOpVF86qbEAocp1YTET5QkcGXfDzWOkZ1eW6RPfA-ZNpRxKjkm7Iy6UOax9xP6kprbmXmHHk0EVtZbBHIviTlQ57oUGDWWHJktQ9sk24Hz2yOQF4pUjLbzX6IhAf_IBNXwZhq0ApL914q5waybxiy-yPJ_cRXgRxYOXLoXEATNUG0qE3q-dJx8z_ro97PyV3yIAWPzaaFTRS-10_GY9ZMDLl92iKJAbubKZXDnLSbPWyHBh3JiLZOS1w7UVklsXP2MFDvRmHbA”,
“client_id”: “RtUM17kYJP68sqqjVAcJ4x1NFI0yStAG”
}

Token request failed:
{
“error”: “invalid_request”,
“error_description”: “Invalid ‘iss’/‘sub’ claims in client_assertion JWT”,
“message_id”: “rrt-2806264692905980563-b-geu2-3900982-48576137-1”
}

2

Hi Andrei,

The Invalid ‘iss’/‘sub’ claims in client_assertion JWT error occurs because the JWT claims don’t match the registered API key and environment expected by the NHS API Platform. Basically, you are putting the wrong identifier in the JWT claims.

You could try and use your API key (not Application ID) for both iss and sub, ensure aud matches the correct environment’s token URL, and verify your JWT is signed using the registered JWKS key.

Hope this helps.

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.

3

Thank you for the response.
I am using API Key in both iss and sub. So I am good here.
I am using https://api.service.nhs.uk/oauth2/token as token URL, and it may be not a correct one.
How I can find the token URL to use in my case?

4

Resolved by using sandbox url

https://sandbox.api.service.nhs.uk/oauth2/token

5

Glad you managed to find and use the sandbox environment url. If you’re testing in INT, use: https://int.api.service.nhs.uk/oauth2/token

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.