---
title: How to Create an OIDC Issuer
url: https://docs.vultr.com/platform/iam/oidc/oidc-issuers/how-to-create-an-oidc-issuer
description: Create a new OIDC issuer in Vultr IAM to enable federated identity authentication. Configure the issuer URL and audience for trusted token verification.
publish_date: 2026-03-24T19:52:48.127795Z
last_updated: 2026-06-01T20:41:38.838167Z
---

An OIDC issuer registers an external identity provider's public key with Vultr so that Vultr can validate JWT tokens issued by that provider. This enables federated role assumption — users authenticated by the external IdP (such as Okta, Google, or Azure AD) can assume roles in Vultr without separate Vultr credentials.

The issuer requires the JWK (JSON Web Key) public key components from the external identity provider's JWKS endpoint.

Follow this guide to create an OIDC issuer using the Vultr API or Terraform.

=== "Vultr API"

    1. Retrieve the external identity provider's JWKS. Replace `IDP-JWKS-URL` with the provider's JWKS endpoint (e.g., `https://dev-123456.okta.com/oauth2/default/v1/keys`).

        ```console
        $ curl "IDP-JWKS-URL"
        ```

        Note the `kid`, `n`, and `e` values from the first RSA key in the response.

    1. Send a `POST` request to the [**Create OIDC Issuer** endpoint](https://www.vultr.com/api/#tag/oidc/operation/create-oidc-issuer). Replace `IDP-ISSUER-URI` with the provider's issuer URL, and `IDP-KID`, `IDP-N-VALUE`, `IDP-E-VALUE` with the JWK values from the previous step.

        ```console
        $ curl "https://api.vultr.com/v2/oidc/issuer" \
            -X POST \
            -H "Authorization: Bearer ${VULTR_API_KEY}" \
            -H "Content-Type: application/json" \
            -d '{
                "issuer": {
                    "source": "external",
                    "uri": "IDP-ISSUER-URI",
                    "kid": "IDP-KID",
                    "kty": "RSA",
                    "alg": "RS256",
                    "use": "sig",
                    "n": "IDP-N-VALUE",
                    "e": "IDP-E-VALUE"
                }
            }'
        ```

        The `source` field accepts `external` for third-party identity providers. Note the `id` for use in role trust configurations.

=== "Terraform"

    1. Retrieve the signing key values from your identity provider's JWKS endpoint. Replace `IDP-JWKS-URL` with the provider's JWKS endpoint.

        ```console
        $ curl "IDP-JWKS-URL"
        ```

        From the key with `"use": "sig"` and `"alg": "RS256"`, note the `kid`, `kty`, `alg`, `use`, `n`, and `e` values.

    1. Ensure the [Vultr Terraform provider](https://registry.terraform.io/providers/vultr/vultr/latest/docs) is configured in your Terraform project.

    1. Define the OIDC issuer resource. Replace each placeholder with the corresponding value from the JWKS response.

        ```hcl
        resource "vultr_oidc_issuer" "my_issuer" {
          source = "external"
          uri    = "IDP-ISSUER-URI"
          kid    = "IDP-KID"
          kty    = "RSA"
          alg    = "RS256"
          use    = "sig"
          n      = "IDP-N-VALUE"
          e      = "IDP-E-VALUE"
        }
        ```

    1. Apply the configuration.

        ```console
        $ terraform apply
        ```

        Verify that the output shows `vultr_oidc_issuer.my_issuer: Creation complete`. Note the issuer `id` from the Terraform state for use in role trust configurations.