>
    Strata Copilot
    Network Clients with JWT
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Distributed Issuer Overview
    7. Add Configurations
    8. Network Clients with JWT
    Next‑Gen Trust Security

    Network Clients with JWT

    Table of Contents

    Network Clients with JWT

    When you select Allow network clients (REST, gRPC, remote cert-manager) in the client access settings for a configuration, clients authenticate using JSON Web Tokens (JWT).
    Choose one of the following client identification methods:

    To Configure Clients with Registered JWT Claims

    Use registered JWT claims such as sub, iss, or aud for identity verification when Distributed Issuer and cert-manager are installed in different environments.
    Tip: To get the Issuer URL from a Kubernetes cluster, run:
    kubectl get --raw "/.well-known/openid-configuration" | jq .issuer
    1. For each client, enter the following fields and click Add.
      FieldDescription
      Friendly NameA display name for the client.
      Issuer URLThe IdP issuer URL. Verification keys resolve via OIDC Discovery. Must be reachable without authentication by Distributed Issuer instances.
      Custom JWKS URIOptional. Overrides the OIDC Discovery endpoint for key resolution.
      SubjectsThe sub values for token verification. A token is accepted only if its subject exactly matches an entry. For Kubernetes service accounts, use system:serviceaccount:<namespace>:<service-account-name>.
      Allowed PoliciesThe issuance policies this client can request.
    2. In Audience, enter the target audience aud for validation.
    3. Select the Minimum TLS Protocol Version, choosing the most recent version your environment supports.
    4. Under Policies, select the Allowed Policies that clients can use.
    5. Click Create to save the configuration. See What's Next? for next steps.

    To Configure Clients with Custom JWT Claims

    Use custom JWT claims for flexible identity at scale. Choose one of the following authentication methods:

    OpenID Connect

    OpenID Connect (OIDC) requires Distributed Issuer v1.9.1 or later.
    1. Enter the Issuer URL to retrieve authorization server metadata.
    2. Enter the Audience to register Distributed Issuer with the identity provider.
    3. (Optional) Under Alternative Claim Names, specify custom names for the following fields:
      • venafi-firefly.configuration
      • venafi-firefly.allowedPolicies
      • venafi-firefly.allowAllPolicies
    4. Select the Minimum TLS Protocol Version, choosing the most recent version your environment supports.
    5. Under Policies, select the Allowed Policies that clients can use.
    6. Click Create to save the configuration. See What's Next? for next steps.

    JWT Signature Verification

    1. Enter one or more JWKS URIs that point to the trusted public keys. Include the FQDN and protocol, for example https://idp.example.com/jwks.
    2. (Optional) Under Alternative Claim Names, specify custom names for the following fields:
      • venafi-firefly.configuration
      • venafi-firefly.allowedPolicies
      • venafi-firefly.allowAllPolicies
    3. Select the Minimum TLS Protocol Version, choosing the most recent version your environment supports.
    4. Under Policies, select the Allowed Policies that clients can use.
    5. Click Create to save the configuration. See What's Next? for next steps.

    © 2026 Palo Alto Networks, Inc. All rights reserved.