Malformed JWT for Token Exchange

I am working through doing a Token Exchange as laid out in the CIS2 Separate Authentication and Authorization, using the Sandbox Environment, and I keep getting back a “Malformed JWT in client_assertion” error.

The JWT is valid when checked with

The most recent example:

Any help would be appreciated, Thank you.

Hello glabonte,
Did you use the Token in postman or via code?

I’ve tried both, but have resorted to Postman for the short term.

Hello glabonte,
The Team have taken a look and the JWT looks fine, but it is possibly how its being created is why its invalid.
Can you list the App ID so we can check the App looks as it should be, thank you.

Hi @alan.rawlings2,
The app ID is 33f00de9-75c6-44fb-84f8-31069537068b.

hi @glabonte
i am working on a similar thing and wonder where the Relying Party code(client_id) should come from. :pray:

Regarding the question, the sandbox env requires token in order to consume API ?

Hello glabonte, Which specific API does this relate to?

Running your token through JWTIO gives the following error;

“Looks like your JWT signature is not encoded correctly using base64url (RFC 4648 - The Base16, Base32, and Base64 Data Encodings). Note that padding (”=“) must be omitted as per RFC 7515 - JSON Web Signature (JWS)

Maybe this will help?

I am trying to get started with eRS in Healthcare worker mode.

Hello glabonte,

The team have adivsed, if you are in the sandbox environment the URL is, not int.