Internet Assigned Numbers Authority JSON Web Token (JWT) Created 2015-01-23 Last Updated 2025-05-30 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • JSON Web Token Claims • JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) family_name Surname(s) or last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] Shorthand name by which preferred_username the End-User wishes to be [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] referred to profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] True if the e-mail email_verified address has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] verified; otherwise false gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] number True if the phone number phone_number_verified has been verified; [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] otherwise false address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] last updated Authorized party - the azp party to which the ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Token was issued Value used to associate a Client session with an ID nonce Token (MAY also be used [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2][RFC9449] for nonce values in other applications of JWTs) auth_time Time when the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] authentication occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Class Reference amr Authentication Methods [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] References Public key used to check sub_jwk the signature of an ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 7.4] Token cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field [IESG] [RFC8055][RFC3261] parameter value sip_date SIP Date header field [IESG] [RFC8055][RFC3261] value sip_callid SIP Call-Id header field [IESG] [RFC8055][RFC3261] value sip_cseq_num SIP CSeq numeric header [IESG] [RFC8055][RFC3261] field parameter value sip_via_branch SIP Via branch header [IESG] [RFC8055][RFC3261] field parameter value orig Originating Identity [IESG] [RFC8225, Section 5.2.1] String dest Destination Identity [IESG] [RFC8225, Section 5.2.1] String mky Media Key Fingerprint [IESG] [RFC8225, Section 5.2.2] String events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header [IESG] [RFC8443, Section 3] Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark [IESG] [RFC8485] URL Attestation level as attest defined in SHAKEN [IESG] [RFC8588] framework Originating Identifier as origid defined in SHAKEN [IESG] [RFC8588] framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] Authorized Actor - the may_act party that is authorized [IESG] [RFC8693, Section 4.4] to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] Number of API requests at_use_nbr for which the access [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] token can be used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in [IESG] [RFC8946] Full Form) Verifiable Credential as [W3C Recommendation Verifiable Credentials vc specified in the W3C [IESG] Data Model 1.0 - Expressing verifiable Recommendation information on the Web (19 November 2019), Section 6.3.1] Verifiable Presentation [W3C Recommendation Verifiable Credentials vp as specified in the W3C [IESG] Data Model 1.0 - Expressing verifiable Recommendation information on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] The ACE profile a token ace_profile is supposed to be used [IETF] [RFC9200, Section 5.10] with. "client-nonce". A nonce previously provided to the AS by the RS via the cnonce client. Used to verify [IETF] [RFC9200, Section 5.10] token freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to exi implement a weaker from [IETF] [RFC9200, Section 5.10.3] of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection [IETF] [RFC9701, Section 5] response eat_nonce Nonce [IETF] [RFC9711] ueid Universal Entity ID [IETF] [RFC9711] sueids Semipermanent UEIDs [IETF] [RFC9711] oemid Hardware OEM ID [IETF] [RFC9711] hwmodel Model identifier for [IETF] [RFC9711] hardware hwversion Hardware Version [IETF] [RFC9711] Identifier Indicates whether the oemboot software booted was OEM [IETF] [RFC9711] authorized dbgstat The status of debug [IETF] [RFC9711] facilities location The geographic location [IETF] [RFC9711] eat_profile The EAT profile followed [IETF] [RFC9711] submods The section containing [IETF] [RFC9711] submodules uptime Uptime [IETF] [RFC9711] The number of times the bootcount entity or submodule has [IETF] [RFC9711] been booted bootseed Identifies a boot cycle [IETF] [RFC9711] Certifications received dloas as Digital Letters of [IETF] [RFC9711] Approval swname The name of the software [IETF] [RFC9711] running in the entity swversion The version of software [IETF] [RFC9711] running in the entity Manifests describing the manifests software installed on the [IETF] [RFC9711] entity Measurements of the measurements software, memory [IETF] [RFC9711] configuration, and such on the entity The results of comparing measres software measurements to [IETF] [RFC9711] reference values intuse The intended use of the [IETF] [RFC9711] EAT cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] CDNI Expiration Time cdniets Setting for Signed Token [IETF] [RFC9246, Section 2.1.12] Renewal CDNI Signed Token cdnistt Transport Method for [IETF] [RFC9246, Section 2.1.13] Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation [IETF] [RFC9321, Section 3.2.3] Token The claim authorization_details contains a JSON array of JSON objects representing authorization_details the rights of the access [IETF] [RFC9396, Section 9.1] token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing end-user [OpenID Identity Assurance Schema Definition verified_claims claims and the details of [eKYC_and_Identity_Assurance_WG] 1.0, Section 5] how those end-user claims were assured. A structured claim place_of_birth representing the [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims end-user's place of Registration 1.0, Section 4] birth. String array representing [OpenID Connect for Identity Assurance Claims nationalities the end-user's [eKYC_and_Identity_Assurance_WG] Registration 1.0, Section 4] nationalities. Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later in [OpenID Connect for Identity Assurance Claims birth_family_name life for any reason. Note [eKYC_and_Identity_Assurance_WG] Registration 1.0, Section 4] that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the birth_given_name given name later in life [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims for any reason. Note that Registration 1.0, Section 4] in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in life for any reason. Note that [OpenID Connect for Identity Assurance Claims birth_middle_name in some cultures, people [eKYC_and_Identity_Assurance_WG] Registration 1.0, Section 4] can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. salutation End-user's salutation, [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims e.g., "Mr" Registration 1.0, Section 4] title End-user's title, e.g., [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims "Dr" Registration 1.0, Section 4] End-user's mobile phone msisdn number formatted [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims according to ITU-T Registration 1.0, Section 4] recommendation [E.164] Stage name, religious name or any other type of also_known_as alias/pseudonym with [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims which a person is known Registration 1.0, Section 4] in a specific context besides its legal name. htm The HTTP method of the [IETF] [RFC9449, Section 4.2] request The HTTP URI of the htu request (without query [IETF] [RFC9449, Section 4.2] and fragment parts) The base64url-encoded SHA-256 hash of the ASCII ath encoding of the [IETF] [RFC9449, Section 4.2] associated access token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data [IETF] [RFC-ietf-stir-passport-rcd-26] Information rcdi Rich Call Data Integrity [IETF] [RFC-ietf-stir-passport-rcd-26] Information crn Call Reason [IETF] [RFC-ietf-stir-passport-rcd-26] msgi Message Integrity [IETF] [RFC9475] Information JSON object whose member _claim_names names are the Claim Names [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] for the Aggregated and Distributed Claims JSON object whose member _claim_sources names are referenced by [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] the member values of the _claim_names member This claim describes the set of RDAP query purposes that are rdap_allowed_purposes available to an identity [IETF] [RFC9560, Section 3.1.5.1] that is presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" request for rdap_dnt_allowed server-side tracking, [IETF] [RFC9560, Section 3.1.5.2] logging, or recording of an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] _sd Digests of Disclosures [IETF] [RFC-ietf-oauth-selective-disclosure-jwt-22, for object properties Section 4.2.4.1] ... Digest of the Disclosure [IETF] [RFC-ietf-oauth-selective-disclosure-jwt-22, for an array element Section 4.2.4.2] Hash algorithm used to _sd_alg generate Disclosure [IETF] [RFC-ietf-oauth-selective-disclosure-jwt-22, digests and digest over Section 4.1.1] presentation sd_hash Digest of the SD-JWT to [IETF] [RFC-ietf-oauth-selective-disclosure-jwt-22, which the KB-JWT is tied Section 4.3] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] Contact Information ID Name Contact URI Last Updated [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms