I’m working with a client that, in order to use their OAuth 2.0 web API, requires me to provide them with a JWK that contains an embedded X.509 certificate. Then, when I’m requesting information from the API, they say I need to pass a "signed (with private keys) JWT Bearer token" on each request.
I’ve never worked with JWK’s before so I was looking over the official JWK documentation, but it’s very dense and doesn’t really talk about how these are used in real life applications.
I found this site / command line tool that can generate JWK’s in different formats, and it generates the JWK with an X.509 certificate that is self-signed. I’m wondering, in this case, is it okay to use a self-signed cert to talk to this API? I understand that with web browsers, you absolutely need a cert that is from a trusted CA because the client and web server are essentially strangers, but this cert isn’t being used publicly for a website; it’s just being used between my application and this OAuth API, and both parties already trust each other.
So really my question is, would generating a JWK with a self-signed X.509 certificate be sufficient, and then use the private key of the certificate to sign JWT Bearer tokens when actually using the API?