Internet Assigned Numbers Authority • Domains • Protocols • Numbers • About JSON Web Token (JWT) Created 2015-01-23 Last Updated 2025-11-24 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • JSON Web Token Claims • JWT Confirmation Methods JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7519]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] preferred_username Shorthand name by which the End-User [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, wishes to be referred to Section 5.1] profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email_verified True if the e-mail address has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, verified; otherwise false Section 5.1] gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number_verified True if the phone number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, verified; otherwise false Section 5.1] address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was last updated [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] azp Authorized party - the party to which the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, ID Token was issued Section 2] Value used to associate a Client session nonce with an ID Token (MAY also be used for [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, nonce values in other applications of Section 2][RFC9449] JWTs) auth_time Time when the authentication occurred [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context Class Reference [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] amr Authentication Methods References [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] sub_jwk Public key used to check the signature of [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, an ID Token Section 7.4] cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field parameter value [IESG] [RFC8055][RFC3261] sip_date SIP Date header field value [IESG] [RFC8055][RFC3261] sip_callid SIP Call-Id header field value [IESG] [RFC8055][RFC3261] sip_cseq_num SIP CSeq numeric header field parameter [IESG] [RFC8055][RFC3261] value sip_via_branch SIP Via branch header field parameter [IESG] [RFC8055][RFC3261] value orig Originating Identity String [IESG] [RFC8225, Section 5.2.1] dest Destination Identity String [IESG] [RFC8225, Section 5.2.1] mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2] events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header Authorization [IESG] [RFC8443, Section 3] [OpenID Connect sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark URL [IESG] [RFC8485] attest Attestation level as defined in SHAKEN [IESG] [RFC8588] framework origid Originating Identifier as defined in [IESG] [RFC8588] SHAKEN framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] may_act Authorized Actor - the party that is [IESG] [RFC8693, Section 4.4] authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] at_use_nbr Number of API requests for which the [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] access token can be used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in Full Form) [IESG] [RFC8946] [W3C Recommendation Verifiable Credentials Data vc Verifiable Credential as specified in the [IESG] Model 1.0 - Expressing W3C Recommendation verifiable information on the Web (19 November 2019), Section 6.3.1] [W3C Recommendation Verifiable Credentials Data vp Verifiable Presentation as specified in [IESG] Model 1.0 - Expressing the W3C Recommendation verifiable information on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] ace_profile The ACE profile a token is supposed to be [IETF] [RFC9200, Section 5.10] used with. "client-nonce". A nonce previously provided to the AS by the RS via the cnonce client. Used to verify token freshness [IETF] [RFC9200, Section 5.10] when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees exi it. Used to implement a weaker from of [IETF] [RFC9200, Section 5.10.3] token expiration for devices that cannot synchronize their internal clocks. [RFC7643, Section roles Roles [IETF] 4.1.2][RFC9068, Section 2.2.3.1] [RFC7643, Section groups Groups [IETF] 4.1.2][RFC9068, Section 2.2.3.1] [RFC7643, Section entitlements Entitlements [IETF] 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection response [IETF] [RFC9701, Section 5] eat_nonce Nonce [IETF] [RFC9711] ueid Universal Entity ID [IETF] [RFC9711] sueids Semipermanent UEIDs [IETF] [RFC9711] oemid Hardware OEM ID [IETF] [RFC9711] hwmodel Model identifier for hardware [IETF] [RFC9711] hwversion Hardware Version Identifier [IETF] [RFC9711] oemboot Indicates whether the software booted was [IETF] [RFC9711] OEM authorized dbgstat The status of debug facilities [IETF] [RFC9711] location The geographic location [IETF] [RFC9711] eat_profile The EAT profile followed [IETF] [RFC9711] submods The section containing submodules [IETF] [RFC9711] uptime Uptime [IETF] [RFC9711] bootcount The number of times the entity or [IETF] [RFC9711] submodule has been booted bootseed Identifies a boot cycle [IETF] [RFC9711] dloas Certifications received as Digital [IETF] [RFC9711] Letters of Approval swname The name of the software running in the [IETF] [RFC9711] entity swversion The version of software running in the [IETF] [RFC9711] entity manifests Manifests describing the software [IETF] [RFC9711] installed on the entity measurements Measurements of the software, memory [IETF] [RFC9711] configuration, and such on the entity measres The results of comparing software [IETF] [RFC9711] measurements to reference values intuse The intended use of the EAT [IETF] [RFC9711] cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] cdniets CDNI Expiration Time Setting for Signed [IETF] [RFC9246, Section 2.1.12] Token Renewal cdnistt CDNI Signed Token Transport Method for [IETF] [RFC9246, Section 2.1.13] Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3] The claim authorization_details contains a JSON array of JSON objects representing authorization_details the rights of the access token. Each JSON [IETF] [RFC9396, Section 9.1] object contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing end-user [OpenID Identity Assurance verified_claims claims and the details of how those [eKYC_and_Identity_Assurance_WG] Schema Definition 1.0, end-user claims were assured. Section 5] A structured claim representing the [OpenID Connect for Identity place_of_birth end-user's place of birth. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] String array representing the end-user's [OpenID Connect for Identity nationalities nationalities. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) [OpenID Connect for Identity birth_family_name later in life for any reason. Note that [eKYC_and_Identity_Assurance_WG] Assurance Claims in some cultures, people can have Registration 1.0, Section 4] multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a [OpenID Connect for Identity birth_given_name person who changes the given name later [eKYC_and_Identity_Assurance_WG] Assurance Claims in life for any reason. Note that in some Registration 1.0, Section 4] cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later [OpenID Connect for Identity birth_middle_name in life for any reason. Note that in some [eKYC_and_Identity_Assurance_WG] Assurance Claims cultures, people can have multiple middle Registration 1.0, Section 4] names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. [OpenID Connect for Identity salutation End-user's salutation, e.g., "Mr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] [OpenID Connect for Identity title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] End-user's mobile phone number formatted [OpenID Connect for Identity msisdn according to ITU-T recommendation [E.164] [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] Stage name, religious name or any other [OpenID Connect for Identity also_known_as type of alias/pseudonym with which a [eKYC_and_Identity_Assurance_WG] Assurance Claims person is known in a specific context Registration 1.0, Section 4] besides its legal name. htm The HTTP method of the request [IETF] [RFC9449, Section 4.2] htu The HTTP URI of the request (without [IETF] [RFC9449, Section 4.2] query and fragment parts) The base64url-encoded SHA-256 hash of the ath ASCII encoding of the associated access [IETF] [RFC9449, Section 4.2] token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data Information [IETF] [RFC9795] rcdi Rich Call Data Integrity Information [IETF] [RFC9795] crn Call Reason [IETF] [RFC9795] msgi Message Integrity Information [IETF] [RFC9475] JSON object whose member names are the [OpenID Connect Core 1.0, _claim_names Claim Names for the Aggregated and [OpenID_Foundation_Artifact_Binding_Working_Group] Section 5.6.2] Distributed Claims JSON object whose member names are [OpenID Connect Core 1.0, _claim_sources referenced by the member values of the [OpenID_Foundation_Artifact_Binding_Working_Group] Section 5.6.2] _claim_names member This claim describes the set of RDAP rdap_allowed_purposes query purposes that are available to an [IETF] [RFC9560, Section 3.1.5.1] identity that is presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" rdap_dnt_allowed request for server-side tracking, [IETF] [RFC9560, Section 3.1.5.2] logging, or recording of an identity that is presented for access to a protected RDAP resource. [Fast and Readable geohash Geohash String or Array [Consumer_Technology_Association] Geographical Hashing (CTA-5009)] _sd Digests of Disclosures for object [IETF] [RFC9901, Section 4.2.4.1] properties ... Digest of the Disclosure for an array [IETF] [RFC9901, Section 4.2.4.2] element Hash algorithm used to generate _sd_alg Disclosure digests and digest over [IETF] [RFC9901, Section 4.1.1] presentation sd_hash Digest of the SD-JWT to which the KB-JWT [IETF] [RFC9901, Section 4.3] is tied consumerPlmnId PLMN ID of the NF service consumer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumerSnpnId SNPN ID of the NF service consumer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producerPlmnId PLMN ID of the NF service producer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producerSnpnId SNPN ID of the NF service producer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] list of S-NSSAIs of the NF service [3GPP TS 29.510, Clause producerSnssaiList producer which are authorized for the NF [_3GPP_Specifications_Manager] 6.3.5.2.4] service consumer List of NSIs of the NF service producer [3GPP TS 29.510, Clause producerNsiList which are authorized for the NF service [_3GPP_Specifications_Manager] 6.3.5.2.4] consumer producerNfSetId NF Set ID of the NF service producer [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producerNfServiceSetId NF Service Set ID of the NF Service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause Producer 6.3.5.2.4] sourceNfInstanceId NF Instance ID of the source NF [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] analyticsIdList Analytics IDs [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Contains the identifier of the resource [3GPP TS 29.222, Clause resOwnerId owner, e.g., GPSI as specified in clause [_3GPP_Specifications_Manager] 8.5.4.2.8] 5.3.2 of [3GPP TS 29.571]. JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If approved, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] Contact Information ID Name Contact URI Last Updated [_3GPP_Specifications_Manager] 3GPP Specifications Manager mailto:3gppContact&etsi.org 2025-08-20 [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms