Internet Assigned Numbers Authority JSON Web Token (JWT) Created 2015-01-23 Last Updated 2023-02-13 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below * JSON Web Token Claims * JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) John Bradley, Brian Campbell, Michael B. Jones, Chuck Mortimore Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) family_name Surname(s) or last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] Shorthand name by which preferred_username the End-User wishes to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] be referred to profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] address True if the e-mail email_verified address has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] verified; otherwise false gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] number True if the phone phone_number_verified number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] verified; otherwise false address Preferred postal [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] address updated_at Time the information [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] was last updated Authorized party - the azp party to which the ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Token was issued Value used to associate nonce a Client session with [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] an ID Token auth_time Time when the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] authentication occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Class Reference amr Authentication Methods [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] References Public key used to sub_jwk check the signature of [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 7.4] an ID Token cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header [IESG] [RFC8055][RFC3261] field parameter value sip_date SIP Date header field [IESG] [RFC8055][RFC3261] value sip_callid SIP Call-Id header [IESG] [RFC8055][RFC3261] field value sip_cseq_num SIP CSeq numeric header [IESG] [RFC8055][RFC3261] field parameter value sip_via_branch SIP Via branch header [IESG] [RFC8055][RFC3261] field parameter value orig Originating Identity [IESG] [RFC8225, Section 5.2.1] String dest Destination Identity [IESG] [RFC8225, Section 5.2.1] String mky Media Key Fingerprint [IESG] [RFC8225, Section 5.2.2] String events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority [IESG] [RFC8443, Section 3] Header Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust [IESG] [RFC8485] trustmark URL Attestation level as attest defined in SHAKEN [IESG] [RFC8588] framework Originating Identifier origid as defined in SHAKEN [IESG] [RFC8588] framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] Authorized Actor - the may_act party that is [IESG] [RFC8693, Section 4.4] authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] Number of API requests at_use_nbr for which the access [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] token can be used div Diverted Target of a [IESG] [RFC8946] Call opt Original PASSporT (in [IESG] [RFC8946] Full Form) Verifiable Credential [W3C Recommendation Verifiable Credentials Data vc as specified in the W3C [IESG] Model 1.0 - Expressing verifiable information Recommendation on the Web (19 November 2019), Section 6.3.1] Verifiable Presentation [W3C Recommendation Verifiable Credentials Data vp as specified in the W3C [IESG] Model 1.0 - Expressing verifiable information Recommendation on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header [IESG] [RFC9027] field The ACE profile a token ace_profile is supposed to be used [IETF] [RFC9200, Section 5.10] with. "client-nonce". A nonce previously provided to the AS by the RS via cnonce the client. Used to [IETF] [RFC9200, Section 5.10] verify token freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to exi implement a weaker from [IETF] [RFC9200, Section 5.10.3] of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection [IETF] [RFC-ietf-oauth-jwt-introspection-response-12, response Section 5] The Universal Entity ID (TEMPORARY - registered ueid 2022-03-23, extension [IESG] [draft-ietf-rats-eat-12] registered 2023-02-13, expires 2024-03-23) Semi-permanent UEIDs (TEMPORARY - registered sueids 2022-03-23, extension [IESG] [draft-ietf-rats-eat-12] registered 2023-02-13, expires 2024-03-23) Hardware OEM ID (TEMPORARY - registered oemid 2022-03-23, extension [IESG] [draft-ietf-rats-eat-12] registered 2023-02-13, expires 2024-03-23) Model identifier for hardware (TEMPORARY - hwmodel registered 2022-03-23, [IESG] [draft-ietf-rats-eat-12] extension registered 2023-02-13, expires 2024-03-23) Hardware Version Identifier (TEMPORARY - hwversion registered 2022-03-23, [IESG] [draft-ietf-rats-eat-12] extension registered 2023-02-13, expires 2024-03-23) Indicate whether the boot was secure secboot (TEMPORARY - registered [IESG] [draft-ietf-rats-eat-12] 2022-03-23, extension registered 2023-02-13, expires 2024-03-23) Indicate status of debug facilities dbgstat (TEMPORARY - registered [IESG] [draft-ietf-rats-eat-12] 2022-03-23, extension registered 2023-02-13, expires 2024-03-23) The geographic location (TEMPORARY - registered location 2022-03-23, extension [IESG] [draft-ietf-rats-eat-12] registered 2023-02-13, expires 2024-03-23) Indicates the EAT profile followed eat_profile (TEMPORARY - registered [IESG] [draft-ietf-rats-eat-12] 2022-03-23, extension registered 2023-02-13, expires 2024-03-23) The section containing submodules (TEMPORARY - submods registered 2022-03-23, [IESG] [draft-ietf-rats-eat-12] extension registered 2023-02-13, expires 2024-03-23) cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims [IETF] [RFC9246, Section 2.1.9] Set cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] CDNI Expiration Time cdniets Setting for Signed [IETF] [RFC9246, Section 2.1.12] Token Renewal CDNI Signed Token cdnistt Transport Method for [IETF] [RFC9246, Section 2.1.13] Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation [IETF] [RFC9321, Section 3.2.3] Token The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. authorization_details Each JSON object [IETF] [RFC-ietf-oauth-rar-22, Section 9.1] contains the data to specify the authorization requirements for a certain type of resource. JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation Contact Information ID Name Contact URI Last Updated [ETSI] ETSI mailto:pnns&etsi.org 2020-01-13 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2015-04-20 Working Group Licensing Terms