Hi, I’m trying to authenticate with JWT on integration environment and done everything from the Application-restricted RESTful APIs - signed JWT authentication - NHS England Digital instructions. I’ve put my application API key into ‘iss‘/’sub’ as it is described:
| iss |
The issuer of the JWT. Set this to your API Key. |
string |
| sub |
The subject of the JWT. Also set this to your API Key. |
|
The ‘aud’ is set to integration - int.api.service.nhs.uk/oauth2/token
I’ve tried to find resolution through topics but still have ‘Invalid ‘iss’/‘sub’ claims in client_assertion JWT’ error on authentication and cannot move any further. What steps could I try to resolve the issue?
Hi Dmytro,
Could you please verify the API key provided in the iss/sub is correct. The API key can be found under your app → Active API keys → Edit → Key.
Thanks,
Vini Akshara Kannan
Hi,
The problem was not in API but request was done to production, not integration environment. But when I’ve change it I get “Missing or invalid ‘aud’ claim in client_assertion JWT” error. I tried to set ‘aud‘ both to ‘int.api.service.nhs.uk/oauth2‘ and ‘int.api.service.nhs.uk/oauth2/token‘ as it’s described in example but same error appears. What else can be checked in the request as I’m out of ideas now?
Hi,
The new error — “Missing or invalid ‘aud’ claim in client_assertion JWT” — almost always means the aud in your signed JWT does not exactly match the token URL you are POSTing to in INT.
In INT, the audience must be the INT token endpoint string, character-for-character, so please re-check for :
- Missing
https://
- Using
api.service.nhs.uk instead of int.api.service.nhs.uk
- Extra spaces or hidden characters in the claim
- Posting to one URL but signing the JWT with a different
aud value
- Verify you are using the INT app’s client id in
iss/sub (not a PROD one).
If you continue to get errors, please let us know and at our end we can check your INT app’s JWKS URL & kid (and clear any stale key cache if you rotated keys). If you also paste your JWT header/payload (redacted) and the exact POST URL, we can sanity-check it here.
Thanks,
NHS England API Platform team
Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.