---
title: "Using Secret Manager for PDP JWT Signing"
slug: "using-secret-manager-for-pdp-jwt-signing"
updated: 2026-05-24T15:30:02Z
published: 2026-05-24T15:30:02Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Secret Manager for PDP JWT Signing

PlainID supports returning Authorization decisions as signed JWTs, enabling secure and verifiable responses from the Policy Decision Point (PDP). To enable this capability, the PDP retrieves a private signing key through the Secret Management Service, and additional configuration is required at both the Policy Authorization Agent (PAA) and Policy Administration Point (PAP) levels.

The following sections describe how to configure these settings, including defining the key source and customizing the attributes of the signed JWT response.

#### Scope Level Configuration

In addition to configuring the Secret Management Service and Secret Store in the Policy Authorization Agent (PAA), additional settings related to the JWT need to be configured in the PlainID Policy Administration Point (PAP).

#### JWT Sign In Settings

![JWT Sign In Setting.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/JWT%20Sign%20In%20Setting.png)

This section includes the relevant configuration attributes for obtaining the private key used to sign the PlainID Policy Decision Point (PDP) JWT.

| Attribute | Description | Behavior |
| --- | --- | --- |
| Secret Store | The ID of the Secret Store to use (PAA can use multiple Secret Stores). | If no Secret Store is defined, the default secret store (where `default=true`) will be used. If a value is specified, the specified Secret Store will be used. |
| Path to Key | Define the path to the key location in the vault (relevant only for Secret Stores of type vault). | If not specified, the `details.defaultPath` from the Secret Store configuration will be used. |
| Key Name | Define the name of the key. | If not defined, the PlainID ClientID is used as the Key Name. |

#### JWT Response Settings

![JWT Response Setting image.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/JWT%20Response%20Setting%20image.png)

**JWT Response Attribute Settings**

| Attribute | Description |
| --- | --- |
| KeyID | Defines the `kid` value included in the JWT header. PDP supports signing responses as JWTs using keys defined by the user as part of Scope management. By default, the Scope ClientID is used as the `kid` value. Users can override the default behavior by entering a custom KeyID value. If not defined, the PlainID ClientID is used as the Key Name. |
| Audience | The value to include in the `aud` claim. |
| X509 Certificate | The public X.509 certificate that is published in the PDP JWKS URL. This allows the consumer of the PDP decisions to validate the PDP Signed JWT. The child of the X.509 Certificate in the JWKS is the ClientID of the PlainID ScopeSample JWKS URL. |
| Token Lifetime - EXP (Seconds) | The token lifetime expiration in seconds. |