Internet Assigned Numbers Authority

JSON Web Token (JWT)

Created
2015-01-23
Last Updated
2024-11-22
Available Formats

XML

HTML

Plain text

Registries included below

JSON Web Token Claims

Registration Procedure(s)
Specification Required
Expert(s)
Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan
Reference
[RFC7519]
Note
Registration requests should be sent to the mailing list described in 
[RFC7519]. If approved, designated experts should notify IANA within 
three weeks. For assistance, please contact iana@iana.org.
    
Available Formats

CSV
Claim Name Claim Description Change Controller Reference
iss Issuer [IESG] [RFC7519, Section 4.1.1]
sub Subject [IESG] [RFC7519, Section 4.1.2]
aud Audience [IESG] [RFC7519, Section 4.1.3]
exp Expiration Time [IESG] [RFC7519, Section 4.1.4]
nbf Not Before [IESG] [RFC7519, Section 4.1.5]
iat Issued At [IESG] [RFC7519, Section 4.1.6]
jti JWT ID [IESG] [RFC7519, Section 4.1.7]
name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
given_name Given name(s) or first name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
preferred_username Shorthand name by which the End-User wishes to be referred to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
email_verified True if the e-mail address has been verified; otherwise false [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
phone_number_verified True if the phone number has been verified; otherwise false [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
updated_at Time the information was last updated [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1]
azp Authorized party - the party to which the ID Token was issued [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2]
nonce Value used to associate a Client session with an ID Token (MAY also be used for nonce values in other applications of JWTs) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2][RFC9449]
auth_time Time when the authentication occurred [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2]
at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2]
c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11]
acr Authentication Context Class Reference [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2]
amr Authentication Methods References [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2]
sub_jwk Public key used to check the signature of an ID Token [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 7.4]
cnf Confirmation [IESG] [RFC7800, Section 3.1]
sip_from_tag SIP From tag header field parameter value [IESG] [RFC8055][RFC3261]
sip_date SIP Date header field value [IESG] [RFC8055][RFC3261]
sip_callid SIP Call-Id header field value [IESG] [RFC8055][RFC3261]
sip_cseq_num SIP CSeq numeric header field parameter value [IESG] [RFC8055][RFC3261]
sip_via_branch SIP Via branch header field parameter value [IESG] [RFC8055][RFC3261]
orig Originating Identity String [IESG] [RFC8225, Section 5.2.1]
dest Destination Identity String [IESG] [RFC8225, Section 5.2.1]
mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2]
events Security Events [IESG] [RFC8417, Section 2.2]
toe Time of Event [IESG] [RFC8417, Section 2.2]
txn Transaction Identifier [IESG] [RFC8417, Section 2.2]
rph Resource Priority Header Authorization [IESG] [RFC8443, Section 3]
sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3]
vot Vector of Trust value [IESG] [RFC8485]
vtm Vector of Trust trustmark URL [IESG] [RFC8485]
attest Attestation level as defined in SHAKEN framework [IESG] [RFC8588]
origid Originating Identifier as defined in SHAKEN framework [IESG] [RFC8588]
act Actor [IESG] [RFC8693, Section 4.1]
scope Scope Values [IESG] [RFC8693, Section 4.2]
client_id Client Identifier [IESG] [RFC8693, Section 4.3]
may_act Authorized Actor - the party that is authorized to become the actor [IESG] [RFC8693, Section 4.4]
jcard jCard data [IESG] [RFC8688][RFC7095]
at_use_nbr Number of API requests for which the access token can be used [ETSI] [ETSI GS NFV-SEC 022 V2.7.1]
div Diverted Target of a Call [IESG] [RFC8946]
opt Original PASSporT (in Full Form) [IESG] [RFC8946]
vc Verifiable Credential as specified in the W3C Recommendation [IESG] [W3C Recommendation Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web (19 November 2019), Section 6.3.1]
vp Verifiable Presentation as specified in the W3C Recommendation [IESG] [W3C Recommendation Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web (19 November 2019), Section 6.3.1]
sph SIP Priority header field [IESG] [RFC9027]
ace_profile The ACE profile a token is supposed to be used with. [IETF] [RFC9200, Section 5.10]
cnonce "client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS. [IETF] [RFC9200, Section 5.10]
exi "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to implement a weaker from of token expiration for devices that cannot synchronize their internal clocks. [IETF] [RFC9200, Section 5.10.3]
roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1]
groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1]
entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1]
token_introspection Token introspection response [IETF] [RFC-ietf-oauth-jwt-introspection-response-12, Section 5]
eat_nonce Nonce [IETF] [RFC-ietf-rats-eat-30]
ueid The Universal Entity ID [IETF] [RFC-ietf-rats-eat-30]
sueids Semi-permanent UEIDs [IETF] [RFC-ietf-rats-eat-30]
oemid Hardware OEM ID [IETF] [RFC-ietf-rats-eat-30]
hwmodel Model identifier for hardware [IETF] [RFC-ietf-rats-eat-30]
hwversion Hardware Version Identifier [IETF] [RFC-ietf-rats-eat-30]
oemboot Indicates whether the software booted was OEM authorized [IETF] [RFC-ietf-rats-eat-30]
dbgstat Indicates status of debug facilities [IETF] [RFC-ietf-rats-eat-30]
location The geographic location [IETF] [RFC-ietf-rats-eat-30]
eat_profile Indicates the EAT profile followed [IETF] [RFC-ietf-rats-eat-30]
submods The section containing submodules [IETF] [RFC-ietf-rats-eat-30]
uptime Uptime [IETF] [RFC-ietf-rats-eat-30]
bootcount The number times the entity or submodule has been booted [IETF] [RFC-ietf-rats-eat-30]
bootseed Identifies a boot cycle [IETF] [RFC-ietf-rats-eat-30]
dloas Certifications received as Digital Letters of Approval [IETF] [RFC-ietf-rats-eat-30]
swname The name of the software running in the entity [IETF] [RFC-ietf-rats-eat-30]
swversion The version of software running in the entity [IETF] [RFC-ietf-rats-eat-30]
manifests Manifests describing the software installed on the entity [IETF] [RFC-ietf-rats-eat-30]
measurements Measurements of the software, memory configuration and such on the entity [IETF] [RFC-ietf-rats-eat-30]
measres The results of comparing software measurements to reference values [IETF] [RFC-ietf-rats-eat-30]
intuse Indicates intended use of the EAT [IETF] [RFC-ietf-rats-eat-30]
cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8]
cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9]
cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10]
cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11]
cdniets CDNI Expiration Time Setting for Signed Token Renewal [IETF] [RFC9246, Section 2.1.12]
cdnistt CDNI Signed Token Transport Method for Signed Token Renewal [IETF] [RFC9246, Section 2.1.13]
cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14]
sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3]
authorization_details The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. [IETF] [RFC9396, Section 9.1]
verified_claims A structured claim containing end-user claims and the details of how those end-user claims were assured. [eKYC_and_Identity_Assurance_WG] [OpenID Identity Assurance Schema Definition 1.0, Section 5]
place_of_birth A structured claim representing the end-user's place of birth. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
nationalities String array representing the end-user's nationalities. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
birth_family_name Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later in life for any reason. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
birth_given_name Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the given name later in life for any reason. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
birth_middle_name Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in life for any reason. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
salutation End-user's salutation, e.g., "Mr" [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
msisdn End-user's mobile phone number formatted according to ITU-T recommendation [E.164] [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
also_known_as Stage name, religious name or any other type of alias/pseudonym with which a person is known in a specific context besides its legal name. [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4]
htm The HTTP method of the request [IETF] [RFC9449, Section 4.2]
htu The HTTP URI of the request (without query and fragment parts) [IETF] [RFC9449, Section 4.2]
ath The base64url-encoded SHA-256 hash of the ASCII encoding of the associated access token's value [IETF] [RFC9449, Section 4.2]
atc Authority Token Challenge [IETF] [RFC9447]
sub_id Subject Identifier [IETF] [RFC9493, Section 4.1]
rcd Rich Call Data Information [IETF] [RFC-ietf-stir-passport-rcd-26]
rcdi Rich Call Data Integrity Information [IETF] [RFC-ietf-stir-passport-rcd-26]
crn Call Reason [IETF] [RFC-ietf-stir-passport-rcd-26]
msgi Message Integrity Information [IETF] [RFC9475]
_claim_names JSON object whose member names are the Claim Names for the Aggregated and Distributed Claims [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2]
_claim_sources JSON object whose member names are referenced by the member values of the _claim_names member [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2]
rdap_allowed_purposes This claim describes the set of RDAP query purposes that are available to an identity that is presented for access to a protected RDAP resource. [IETF] [RFC9560, Section 3.1.5.1]
rdap_dnt_allowed This claim contains a JSON boolean literal that describes a "do not track" request for server-side tracking, logging, or recording of an identity that is presented for access to a protected RDAP resource. [IETF] [RFC9560, Section 3.1.5.2]
geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)]

JWT Confirmation Methods

Registration Procedure(s)
Specification Required
Expert(s)
John Bradley, Hannes Tschofenig
Reference
[RFC7800]
Note
Registration requests should be sent to the mailing list described in 
[RFC7800]. If approved, designated experts should notify IANA within 
three weeks. For assistance, please contact iana@iana.org.
    
Available Formats

CSV
Confirmation Method Value Confirmation Method Description Change Controller Reference
jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2]
jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3]
kid Key Identifier [IESG] [RFC7800, Section 3.4]
jku JWK Set URL [IESG] [RFC7800, Section 3.5]
x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1]
osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation [IETF] [RFC9203, Section 3.2.1]
jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6]

Contact Information

ID Name Contact URI Last Updated
[Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02
[eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance Working Group mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02
[ETSI] ETSI mailto:pnns&etsi.org 2024-08-02
[IESG] IESG mailto:iesg&ietf.org
[IETF] IETF mailto:iesg&ietf.org
[OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding Working Group mailto:openid-specs-ab&lists.openid.net 2024-08-02