# Client Assertion

Authentication by client assertion is similar to authentication by client secret, except instead of transmitting the shared secret
over the network, the client creates a JWT and signs it with its private key. Aritma Id only stores the corresponding public key to
validate the signature.

## Token request

Once you have received your authorization code it's time to translate it into a usable access token. This is done using the
`/connect/token` endpoint. In short you send a token request with `grant_type=authorization_code` together with the
supplied `code` and `client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, also include your
`client_assertion`  and the `redirect_uri`.

### POST /connect/token


```HTTP Request
POST https://id.aritma.io/{tenant}/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

  client_assertion=YOUR_JWT_SIGNED_TOKEN&
  client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
  grant_type=client_credentials&
```


```HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}
```

| Parameter | Description |
|  --- | --- |
| `grant_type` (required) | Denotes the flow you are using. For Client secret use `client_credentials`. |
| `client_assertion_type` (required) | must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. |
| `client_assertion` (required) | A JWT token signed with your private key. Must include a subject claim with the application's `client_id`. |
| `scope` (required) | The scope for the access token, can't be an OpenID scope. |