Internet Assigned Numbers Authority JSON Web Token (JWT) Created 2015-01-23 Last Updated 2025-02-04 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below • JSON Web Token Claims • JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] preferred_username Shorthand name by which the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section End-User wishes to be referred to 5.1] profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email_verified True if the e-mail address has [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section been verified; otherwise false 5.1] gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number_verified True if the phone number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section verified; otherwise false 5.1] address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section updated 5.1] azp Authorized party - the party to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] which the ID Token was issued Value used to associate a Client nonce session with an ID Token (MAY also [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section be used for nonce values in other 2][RFC9449] applications of JWTs) auth_time Time when the authentication [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context Class [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Reference amr Authentication Methods References [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] sub_jwk Public key used to check the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section signature of an ID Token 7.4] cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field [IESG] [RFC8055][RFC3261] parameter value sip_date SIP Date header field value [IESG] [RFC8055][RFC3261] sip_callid SIP Call-Id header field value [IESG] [RFC8055][RFC3261] sip_cseq_num SIP CSeq numeric header field [IESG] [RFC8055][RFC3261] parameter value sip_via_branch SIP Via branch header field [IESG] [RFC8055][RFC3261] parameter value orig Originating Identity String [IESG] [RFC8225, Section 5.2.1] dest Destination Identity String [IESG] [RFC8225, Section 5.2.1] mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2] events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header [IESG] [RFC8443, Section 3] Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark URL [IESG] [RFC8485] attest Attestation level as defined in [IESG] [RFC8588] SHAKEN framework origid Originating Identifier as defined [IESG] [RFC8588] in SHAKEN framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] may_act Authorized Actor - the party that [IESG] [RFC8693, Section 4.4] is authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] at_use_nbr Number of API requests for which [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] the access token can be used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in Full Form) [IESG] [RFC8946] [W3C Recommendation Verifiable Verifiable Credential as specified Credentials Data Model 1.0 - vc in the W3C Recommendation [IESG] Expressing verifiable information on the Web (19 November 2019), Section 6.3.1] [W3C Recommendation Verifiable Verifiable Presentation as Credentials Data Model 1.0 - vp specified in the W3C [IESG] Expressing verifiable information on Recommendation the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] ace_profile The ACE profile a token is [IETF] [RFC9200, Section 5.10] supposed to be used with. "client-nonce". A nonce previously provided to the AS by the RS via cnonce the client. Used to verify token [IETF] [RFC9200, Section 5.10] freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the exi RS first sees it. Used to [IETF] [RFC9200, Section 5.10.3] implement a weaker from of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection response [IETF] [RFC9701, Section 5] eat_nonce Nonce [IETF] [RFC-ietf-rats-eat-30] ueid The Universal Entity ID [IETF] [RFC-ietf-rats-eat-30] sueids Semi-permanent UEIDs [IETF] [RFC-ietf-rats-eat-30] oemid Hardware OEM ID [IETF] [RFC-ietf-rats-eat-30] hwmodel Model identifier for hardware [IETF] [RFC-ietf-rats-eat-30] hwversion Hardware Version Identifier [IETF] [RFC-ietf-rats-eat-30] oemboot Indicates whether the software [IETF] [RFC-ietf-rats-eat-30] booted was OEM authorized dbgstat Indicates status of debug [IETF] [RFC-ietf-rats-eat-30] facilities location The geographic location [IETF] [RFC-ietf-rats-eat-30] eat_profile Indicates the EAT profile followed [IETF] [RFC-ietf-rats-eat-30] submods The section containing submodules [IETF] [RFC-ietf-rats-eat-30] uptime Uptime [IETF] [RFC-ietf-rats-eat-30] bootcount The number times the entity or [IETF] [RFC-ietf-rats-eat-30] submodule has been booted bootseed Identifies a boot cycle [IETF] [RFC-ietf-rats-eat-30] dloas Certifications received as Digital [IETF] [RFC-ietf-rats-eat-30] Letters of Approval swname The name of the software running [IETF] [RFC-ietf-rats-eat-30] in the entity swversion The version of software running in [IETF] [RFC-ietf-rats-eat-30] the entity manifests Manifests describing the software [IETF] [RFC-ietf-rats-eat-30] installed on the entity Measurements of the software, measurements memory configuration and such on [IETF] [RFC-ietf-rats-eat-30] the entity measres The results of comparing software [IETF] [RFC-ietf-rats-eat-30] measurements to reference values intuse Indicates intended use of the EAT [IETF] [RFC-ietf-rats-eat-30] cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] cdniets CDNI Expiration Time Setting for [IETF] [RFC9246, Section 2.1.12] Signed Token Renewal cdnistt CDNI Signed Token Transport Method [IETF] [RFC9246, Section 2.1.13] for Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3] The claim authorization_details contains a JSON array of JSON objects representing the rights of authorization_details the access token. Each JSON object [IETF] [RFC9396, Section 9.1] contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing verified_claims end-user claims and the details of [eKYC_and_Identity_Assurance_WG] [OpenID Identity Assurance Schema how those end-user claims were Definition 1.0, Section 5] assured. A structured claim representing [OpenID Connect for Identity place_of_birth the end-user's place of birth. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] String array representing the [OpenID Connect for Identity nationalities end-user's nationalities. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later [OpenID Connect for Identity birth_family_name in life for any reason. Note that [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, in some cultures, people can have Section 4] multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who [OpenID Connect for Identity birth_given_name changes the given name later in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, life for any reason. Note that in Section 4] some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in [OpenID Connect for Identity birth_middle_name life for any reason. Note that in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, some cultures, people can have Section 4] multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. [OpenID Connect for Identity salutation End-user's salutation, e.g., "Mr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] [OpenID Connect for Identity title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] End-user's mobile phone number [OpenID Connect for Identity msisdn formatted according to ITU-T [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, recommendation [E.164] Section 4] Stage name, religious name or any other type of alias/pseudonym with [OpenID Connect for Identity also_known_as which a person is known in a [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, specific context besides its legal Section 4] name. htm The HTTP method of the request [IETF] [RFC9449, Section 4.2] htu The HTTP URI of the request [IETF] [RFC9449, Section 4.2] (without query and fragment parts) The base64url-encoded SHA-256 hash ath of the ASCII encoding of the [IETF] [RFC9449, Section 4.2] associated access token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data Information [IETF] [RFC-ietf-stir-passport-rcd-26] rcdi Rich Call Data Integrity [IETF] [RFC-ietf-stir-passport-rcd-26] Information crn Call Reason [IETF] [RFC-ietf-stir-passport-rcd-26] msgi Message Integrity Information [IETF] [RFC9475] JSON object whose member names are [OpenID Connect Core 1.0, Section _claim_names the Claim Names for the Aggregated [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] and Distributed Claims JSON object whose member names are [OpenID Connect Core 1.0, Section _claim_sources referenced by the member values of [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] the _claim_names member This claim describes the set of RDAP query purposes that are rdap_allowed_purposes available to an identity that is [IETF] [RFC9560, Section 3.1.5.1] presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" request for server-side rdap_dnt_allowed tracking, logging, or recording of [IETF] [RFC9560, Section 3.1.5.2] an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] Contact Information ID Name Contact URI Last Updated [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms