Internet Assigned Numbers Authority • Domains • Protocols • Numbers • About JSON Web Token (JWT) Created 2015-01-23 Last Updated 2025-12-31 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • JSON Web Token Claims • JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] preferred_username Shorthand name by which the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section End-User wishes to be referred to 5.1] profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email_verified True if the e-mail address has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section verified; otherwise false 5.1] gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number_verified True if the phone number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section verified; otherwise false 5.1] address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section updated 5.1] azp Authorized party - the party to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section which the ID Token was issued 2] Value used to associate a Client nonce session with an ID Token (MAY also [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section be used for nonce values in other 2][RFC9449] applications of JWTs) auth_time Time when the authentication [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section occurred 2] at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context Class [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section Reference 2] amr Authentication Methods References [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] sub_jwk Public key used to check the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section signature of an ID Token 7.4] cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field parameter [IESG] [RFC8055][RFC3261] value sip_date SIP Date header field value [IESG] [RFC8055][RFC3261] sip_callid SIP Call-Id header field value [IESG] [RFC8055][RFC3261] sip_cseq_num SIP CSeq numeric header field [IESG] [RFC8055][RFC3261] parameter value sip_via_branch SIP Via branch header field [IESG] [RFC8055][RFC3261] parameter value orig Originating Identity String [IESG] [RFC8225, Section 5.2.1] dest Destination Identity String [IESG] [RFC8225, Section 5.2.1] mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2] events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header [IESG] [RFC8443, Section 3] Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark URL [IESG] [RFC8485] attest Attestation level as defined in [IESG] [RFC8588] SHAKEN framework origid Originating Identifier as defined [IESG] [RFC8588] in SHAKEN framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] may_act Authorized Actor - the party that [IESG] [RFC8693, Section 4.4] is authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] at_use_nbr Number of API requests for which [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] the access token can be used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in Full Form) [IESG] [RFC8946] [W3C Recommendation Verifiable Verifiable Credential as specified Credentials Data Model 1.0 - vc in the W3C Recommendation [IESG] Expressing verifiable information on the Web (19 November 2019), Section 6.3.1] [W3C Recommendation Verifiable Verifiable Presentation as Credentials Data Model 1.0 - vp specified in the W3C Recommendation [IESG] Expressing verifiable information on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] ace_profile The ACE profile a token is supposed [IETF] [RFC9200, Section 5.10] to be used with. "client-nonce". A nonce previously provided to the AS by the RS via cnonce the client. Used to verify token [IETF] [RFC9200, Section 5.10] freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS exi first sees it. Used to implement a [IETF] [RFC9200, Section 5.10.3] weaker from of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection response [IETF] [RFC9701, Section 5] eat_nonce Nonce [IETF] [RFC9711] ueid Universal Entity ID [IETF] [RFC9711] sueids Semipermanent UEIDs [IETF] [RFC9711] oemid Hardware OEM ID [IETF] [RFC9711] hwmodel Model identifier for hardware [IETF] [RFC9711] hwversion Hardware Version Identifier [IETF] [RFC9711] oemboot Indicates whether the software [IETF] [RFC9711] booted was OEM authorized dbgstat The status of debug facilities [IETF] [RFC9711] location The geographic location [IETF] [RFC9711] eat_profile The EAT profile followed [IETF] [RFC9711] submods The section containing submodules [IETF] [RFC9711] uptime Uptime [IETF] [RFC9711] bootcount The number of times the entity or [IETF] [RFC9711] submodule has been booted bootseed Identifies a boot cycle [IETF] [RFC9711] dloas Certifications received as Digital [IETF] [RFC9711] Letters of Approval swname The name of the software running in [IETF] [RFC9711] the entity swversion The version of software running in [IETF] [RFC9711] the entity manifests Manifests describing the software [IETF] [RFC9711] installed on the entity Measurements of the software, measurements memory configuration, and such on [IETF] [RFC9711] the entity measres The results of comparing software [IETF] [RFC9711] measurements to reference values intuse The intended use of the EAT [IETF] [RFC9711] cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] cdniets CDNI Expiration Time Setting for [IETF] [RFC9246, Section 2.1.12] Signed Token Renewal cdnistt CDNI Signed Token Transport Method [IETF] [RFC9246, Section 2.1.13] for Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3] The claim authorization_details contains a JSON array of JSON objects representing the rights of authorization_details the access token. Each JSON object [IETF] [RFC9396, Section 9.1] contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing verified_claims end-user claims and the details of [eKYC_and_Identity_Assurance_WG] [OpenID Identity Assurance Schema how those end-user claims were Definition 1.0, Section 5] assured. A structured claim representing the [OpenID Connect for Identity place_of_birth end-user's place of birth. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] String array representing the [OpenID Connect for Identity nationalities end-user's nationalities. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later in [OpenID Connect for Identity birth_family_name life for any reason. Note that in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, some cultures, people can have Section 4] multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes [OpenID Connect for Identity birth_given_name the given name later in life for [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, any reason. Note that in some Section 4] cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in [OpenID Connect for Identity birth_middle_name life for any reason. Note that in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, some cultures, people can have Section 4] multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. [OpenID Connect for Identity salutation End-user's salutation, e.g., "Mr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] [OpenID Connect for Identity title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] End-user's mobile phone number [OpenID Connect for Identity msisdn formatted according to ITU-T [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, recommendation [E.164] Section 4] Stage name, religious name or any other type of alias/pseudonym with [OpenID Connect for Identity also_known_as which a person is known in a [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, specific context besides its legal Section 4] name. htm The HTTP method of the request [IETF] [RFC9449, Section 4.2] htu The HTTP URI of the request [IETF] [RFC9449, Section 4.2] (without query and fragment parts) The base64url-encoded SHA-256 hash ath of the ASCII encoding of the [IETF] [RFC9449, Section 4.2] associated access token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data Information [IETF] [RFC9795] rcdi Rich Call Data Integrity [IETF] [RFC9795] Information crn Call Reason [IETF] [RFC9795] msgi Message Integrity Information [IETF] [RFC9475] JSON object whose member names are [OpenID Connect Core 1.0, Section _claim_names the Claim Names for the Aggregated [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] and Distributed Claims JSON object whose member names are [OpenID Connect Core 1.0, Section _claim_sources referenced by the member values of [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] the _claim_names member This claim describes the set of RDAP query purposes that are rdap_allowed_purposes available to an identity that is [IETF] [RFC9560, Section 3.1.5.1] presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" request for server-side rdap_dnt_allowed tracking, logging, or recording of [IETF] [RFC9560, Section 3.1.5.2] an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] _sd Digests of Disclosures for object [IETF] [RFC9901, Section 4.2.4.1] properties ... Digest of the Disclosure for an [IETF] [RFC9901, Section 4.2.4.2] array element Hash algorithm used to generate _sd_alg Disclosure digests and digest over [IETF] [RFC9901, Section 4.1.1] presentation sd_hash Digest of the SD-JWT to which the [IETF] [RFC9901, Section 4.3] KB-JWT is tied consumerPlmnId PLMN ID of the NF service consumer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumerSnpnId SNPN ID of the NF service consumer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producerPlmnId PLMN ID of the NF service producer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producerSnpnId SNPN ID of the NF service producer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] list of S-NSSAIs of the NF service producerSnssaiList producer which are authorized for [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] the NF service consumer List of NSIs of the NF service producerNsiList producer which are authorized for [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] the NF service consumer producerNfSetId NF Set ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer producerNfServiceSetId NF Service Set ID of the NF Service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Producer sourceNfInstanceId NF Instance ID of the source NF [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] analyticsIdList Analytics IDs [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Contains the identifier of the resOwnerId resource owner, e.g., GPSI as [_3GPP_Specifications_Manager] [3GPP TS 29.222, Clause 8.5.4.2.8] specified in clause 5.3.2 of [3GPP TS 29.571]. cmw A RATS Conceptual Message Wrapper [IETF] [RFC-ietf-rats-msg-wrap-22, Sections 3.1, 3.3] jwks JSON Web Key Set [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.1] metadata Metadata object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.2] constraints Constraints object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.3] List of Claims in this JWT defined crit by extensions to this kind of JWT [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, that MUST be understood and Section 13.4] processed ref Reference [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.5] delegation Delegation [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.6] logo_uri URI referencing a logo [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 13.7] authority_hints Authority Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.2] trust_anchor_hints Trust Anchor Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.2] trust_marks Trust Marks [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.2] trust_mark_issuers Trust Mark Issuers [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.2] trust_mark_owners Trust Mark Owners [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.2] metadata_policy Metadata Policy object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.3] metadata_policy_crit Critical Metadata Policy Operators [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.3] source_endpoint Source Endpoint URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 3.3] keys Array of JWK values in a JWK Set [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 5.2.1] trust_mark_type Trust Mark Type Identifier [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 7.1] trust_chain Trust Chain [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 8.3.2] trust_anchor Trust Anchor ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0 - draft 46, Section 12.2.3] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] Contact Information ID Name Contact URI Last Updated [_3GPP_Specifications_Manager] 3GPP Specifications Manager mailto:3gppContact&etsi.org 2025-08-20 [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms