Internet Assigned Numbers Authority JSON Web Token (JWT) Created 2015-01-23 Last Updated 2024-02-20 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below • JSON Web Token Claims • JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) John Bradley, Brian Campbell, Michael B. Jones Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) family_name Surname(s) or last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] Shorthand name by which preferred_username the End-User wishes to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] be referred to profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] address True if the e-mail email_verified address has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] verified; otherwise false gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] number True if the phone phone_number_verified number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] verified; otherwise false address Preferred postal [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] address updated_at Time the information [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] was last updated Authorized party - the azp party to which the ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Token was issued Value used to associate a Client session with nonce an ID Token (MAY also [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2][RFC9449] be used for nonce values in other applications of JWTs) auth_time Time when the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] authentication occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Class Reference amr Authentication Methods [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] References Public key used to sub_jwk check the signature of [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 7.4] an ID Token cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header [IESG] [RFC8055][RFC3261] field parameter value sip_date SIP Date header field [IESG] [RFC8055][RFC3261] value sip_callid SIP Call-Id header [IESG] [RFC8055][RFC3261] field value sip_cseq_num SIP CSeq numeric header [IESG] [RFC8055][RFC3261] field parameter value sip_via_branch SIP Via branch header [IESG] [RFC8055][RFC3261] field parameter value orig Originating Identity [IESG] [RFC8225, Section 5.2.1] String dest Destination Identity [IESG] [RFC8225, Section 5.2.1] String mky Media Key Fingerprint [IESG] [RFC8225, Section 5.2.2] String events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority [IESG] [RFC8443, Section 3] Header Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust [IESG] [RFC8485] trustmark URL Attestation level as attest defined in SHAKEN [IESG] [RFC8588] framework Originating Identifier origid as defined in SHAKEN [IESG] [RFC8588] framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] Authorized Actor - the may_act party that is [IESG] [RFC8693, Section 4.4] authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] Number of API requests at_use_nbr for which the access [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] token can be used div Diverted Target of a [IESG] [RFC8946] Call opt Original PASSporT (in [IESG] [RFC8946] Full Form) Verifiable Credential [W3C Recommendation Verifiable Credentials Data vc as specified in the W3C [IESG] Model 1.0 - Expressing verifiable information Recommendation on the Web (19 November 2019), Section 6.3.1] Verifiable Presentation [W3C Recommendation Verifiable Credentials Data vp as specified in the W3C [IESG] Model 1.0 - Expressing verifiable information Recommendation on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header [IESG] [RFC9027] field The ACE profile a token ace_profile is supposed to be used [IETF] [RFC9200, Section 5.10] with. "client-nonce". A nonce previously provided to the AS by the RS via cnonce the client. Used to [IETF] [RFC9200, Section 5.10] verify token freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to exi implement a weaker from [IETF] [RFC9200, Section 5.10.3] of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection [IETF] [RFC-ietf-oauth-jwt-introspection-response-12, response Section 5] eat_nonce Nonce [IETF] [RFC-ietf-rats-eat-25] ueid The Universal Entity ID [IETF] [RFC-ietf-rats-eat-25] sueids Semi-permanent UEIDs [IETF] [RFC-ietf-rats-eat-25] oemid Hardware OEM ID [IETF] [RFC-ietf-rats-eat-25] hwmodel Model identifier for [IETF] [RFC-ietf-rats-eat-25] hardware hwversion Hardware Version [IETF] [RFC-ietf-rats-eat-25] Identifier Indicates whether the oemboot software booted was OEM [IETF] [RFC-ietf-rats-eat-25] authorized dbgstat Indicates status of [IETF] [RFC-ietf-rats-eat-25] debug facilities location The geographic location [IETF] [RFC-ietf-rats-eat-25] eat_profile Indicates the EAT [IETF] [RFC-ietf-rats-eat-25] profile followed submods The section containing [IETF] [RFC-ietf-rats-eat-25] submodules uptime Uptime [IETF] [RFC-ietf-rats-eat-25] The number times the bootcount entity or submodule has [IETF] [RFC-ietf-rats-eat-25] been booted bootseed Identifies a boot cycle [IETF] [RFC-ietf-rats-eat-25] Certifications received dloas as Digital Letters of [IETF] [RFC-ietf-rats-eat-25] Approval The name of the swname software running in the [IETF] [RFC-ietf-rats-eat-25] entity swversion The version of software [IETF] [RFC-ietf-rats-eat-25] running in the entity Manifests describing manifests the software installed [IETF] [RFC-ietf-rats-eat-25] on the entity Measurements of the measurements software, memory [IETF] [RFC-ietf-rats-eat-25] configuration and such on the entity The results of measres comparing software [IETF] [RFC-ietf-rats-eat-25] measurements to reference values intuse Indicates intended use [IETF] [RFC-ietf-rats-eat-25] of the EAT cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims [IETF] [RFC9246, Section 2.1.9] Set cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] CDNI Expiration Time cdniets Setting for Signed [IETF] [RFC9246, Section 2.1.12] Token Renewal CDNI Signed Token cdnistt Transport Method for [IETF] [RFC9246, Section 2.1.13] Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation [IETF] [RFC9321, Section 3.2.3] Token The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. authorization_details Each JSON object [IETF] [RFC9396, Section 9.1] contains the data to specify the authorization requirements for a certain type of resource. This container Claim is composed of the verification evidence related to a certain verified_claims verification process [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, and the corresponding Section 5] Claims about the End-User which were verified in this process. A structured Claim place_of_birth representing the [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, End-User's place of Section 4] birth. String array nationalities representing the [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, End-User's Section 4] nationalities. Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later in life [OpenID Connect for Identity Assurance 1.0, birth_family_name for any reason. Note [eKYC_and_Identity_Assurance_WG] Section 4] that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the given name [OpenID Connect for Identity Assurance 1.0, birth_given_name later in life for any [eKYC_and_Identity_Assurance_WG] Section 4] reason. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in life for any birth_middle_name reason. Note that in [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, some cultures, people Section 4] can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. salutation End-User's salutation, [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, e.g., "Mr." Section 4] title End-User's title, e.g., [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, "Dr." Section 4] End-User's mobile phone msisdn number formatted [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, according to ITU-T Section 4] recommendation [E.164] Stage name, religious name or any other type of alias/pseudonym with which a person is known in a specific context also_known_as besides its legal name. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance 1.0, This must be part of Section 4] the applicable legislation and thus the trust framework (e.g., be an attribute on the identity card). htm The HTTP method of the [IETF] [RFC9449, Section 4.2] request The HTTP URI of the htu request (without query [IETF] [RFC9449, Section 4.2] and fragment parts) The base64url-encoded SHA-256 hash of the ath ASCII encoding of the [IETF] [RFC9449, Section 4.2] associated access token's value atc Authority Token [IETF] [RFC9447] Challenge sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data [IETF] [RFC-ietf-stir-passport-rcd-26] Information rcdi Rich Call Data [IETF] [RFC-ietf-stir-passport-rcd-26] Integrity Information crn Call Reason [IETF] [RFC-ietf-stir-passport-rcd-26] msgi Message Integrity [IETF] [RFC9475] Information JSON object whose member names are the _claim_names Claim Names for the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] Aggregated and Distributed Claims JSON object whose member names are _claim_sources referenced by the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] member values of the _claim_names member This claim describes the set of RDAP query purposes that are rdap_allowed_purposes available to an [IETF] [RFC-ietf-regext-rdap-openid-27, Section identity that is 3.1.5.1] presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" request for rdap_dnt_allowed server-side tracking, [IETF] [RFC-ietf-regext-rdap-openid-27, Section logging, or recording 3.1.5.2] of an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] Contact Information ID Name Contact URI Last Updated [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-02-20 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2023-04-13 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2020-01-13 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2023-08-16 Working Group Licensing Terms