# Client Assertion

This page defines the JWT payload that should be provided to generate an iSHARE JWT client assertion for the [access token endpoint.](https://dev.ishare.eu/version-2.0.1/all-roles-common-endpoints/access-token-m2m-1)

## JWT Payload

In addition to the [iSHARE JWT ](https://dev.ishare.eu/version-2.0.1/reference/ishare-jwt)payload requirements, following also apply:

* The iss and sub claims MUST contain the valid iSHARE identifier (EORI) of the client.
* The aud claim MUST contain only the valid iSHARE identifier of the server. Including multiple audiences creates a risk of impersonation and is therefore not allowed.

In OAuth 2.0 clients are generally pre-registered. Since in iSHARE servers interact with clients that have been previously unknown this is not a workable requirement. Therefore iSHARE implements a generic client identification and authentication scheme, based on iSHARE whitelisted PKIs.

Since OAuth 2.0 doesn’t specify a PKI based authentication scheme, but OpenID Connect 1.0 does, iSHARE chooses to use the scheme specified by OpenID Connect in all use cases. This is preferred above defining a new proprietary scheme.

Example Client Assertion JWT Payload:

```json
{
  "iss": "EU.EORI.NL123456789",
  "sub": "EU.EORI.NL123456789",
  "aud": "EU.EORI.NL987654321",
  "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59",
  "exp": 1504683475,
  "iat": 1504683445
}
```

{% hint style="info" %}
***Note***

*This page must be considered part of the iSHARE Trust Framework*
{% endhint %}