Internet Assigned Numbers Authority • Domains • Protocols • Numbers • About JSON Web Token (JWT) Created 2015-01-23 Last Updated 2026-06-29 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • JSON Web Token Claims • JWT Confirmation Methods • JWT Status Mechanisms JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7800]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] name(s) family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] Shorthand name by which the preferred_username End-User wishes to be [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] referred to profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] True if the e-mail address email_verified has been verified; otherwise [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] false gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] True if the phone number has phone_number_verified been verified; otherwise [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] false address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated Authorized party - the party azp to which the ID Token was [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] issued Value used to associate a Client session with an ID [OpenID Connect Core 1.0, Section nonce Token (MAY also be used for [OpenID_Foundation_Artifact_Binding_Working_Group] 2][RFC9449] nonce values in other applications of JWTs) auth_time Time when the authentication [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context Class [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Reference amr Authentication Methods [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] References sub_jwk Public key used to check the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 7.4] signature of an ID Token cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field [IESG] [RFC8055][RFC3261] parameter value sip_date SIP Date header field value [IESG] [RFC8055][RFC3261] sip_callid SIP Call-Id header field [IESG] [RFC8055][RFC3261] value sip_cseq_num SIP CSeq numeric header field [IESG] [RFC8055][RFC3261] parameter value sip_via_branch SIP Via branch header field [IESG] [RFC8055][RFC3261] parameter value orig Originating Identity String [IESG] [RFC8225, Section 5.2.1] dest Destination Identity String [IESG] [RFC8225, Section 5.2.1] mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2] events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header [IESG] [RFC8443, Section 3] Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark URL [IESG] [RFC8485] attest Attestation level as defined [IESG] [RFC8588] in SHAKEN framework origid Originating Identifier as [IESG] [RFC8588] defined in SHAKEN framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] Authorized Actor - the party may_act that is authorized to become [IESG] [RFC8693, Section 4.4] the actor jcard jCard data [IESG] [RFC8688][RFC7095] Number of API requests for at_use_nbr which the access token can be [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in Full [IESG] [RFC8946] Form) Verifiable Credential as [W3C Recommendation Verifiable vc specified in the W3C [IESG] Credentials Data Model 1.0 - Expressing Recommendation verifiable information on the Web (19 November 2019), Section 6.3.1] Verifiable Presentation as [W3C Recommendation Verifiable vp specified in the W3C [IESG] Credentials Data Model 1.0 - Expressing Recommendation verifiable information on the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] ace_profile The ACE profile a token is [IETF] [RFC9200, Section 5.10] supposed to be used with. "client-nonce". A nonce previously provided to the AS by the RS via the client. cnonce Used to verify token [IETF] [RFC9200, Section 5.10] freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees it. exi Used to implement a weaker [IETF] [RFC9200, Section 5.10.3] from of token expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection response [IETF] [RFC9701, Section 5] eat_nonce Nonce [IETF] [RFC9711] ueid Universal Entity ID [IETF] [RFC9711] sueids Semipermanent UEIDs [IETF] [RFC9711] oemid Hardware OEM ID [IETF] [RFC9711] hwmodel Model identifier for hardware [IETF] [RFC9711] hwversion Hardware Version Identifier [IETF] [RFC9711] Indicates whether the oemboot software booted was OEM [IETF] [RFC9711] authorized dbgstat The status of debug [IETF] [RFC9711] facilities location The geographic location [IETF] [RFC9711] eat_profile The EAT profile followed [IETF] [RFC9711] submods The section containing [IETF] [RFC9711] submodules uptime Uptime [IETF] [RFC9711] The number of times the bootcount entity or submodule has been [IETF] [RFC9711] booted bootseed Identifies a boot cycle [IETF] [RFC9711] dloas Certifications received as [IETF] [RFC9711] Digital Letters of Approval swname The name of the software [IETF] [RFC9711] running in the entity swversion The version of software [IETF] [RFC9711] running in the entity Manifests describing the manifests software installed on the [IETF] [RFC9711] entity Measurements of the software, measurements memory configuration, and [IETF] [RFC9711] such on the entity The results of comparing measres software measurements to [IETF] [RFC9711] reference values intuse The intended use of the EAT [IETF] [RFC9711] cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] cdniets CDNI Expiration Time Setting [IETF] [RFC9246, Section 2.1.12] for Signed Token Renewal CDNI Signed Token Transport cdnistt Method for Signed Token [IETF] [RFC9246, Section 2.1.13] Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3] The claim authorization_details contains a JSON array of JSON objects representing the authorization_details rights of the access token. [IETF] [RFC9396, Section 9.1] Each JSON object contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing verified_claims end-user claims and the [eKYC_and_Identity_Assurance_WG] [OpenID Identity Assurance Schema details of how those end-user Definition 1.0, Section 5] claims were assured. A structured claim [OpenID Connect for Identity Assurance place_of_birth representing the end-user's [eKYC_and_Identity_Assurance_WG] Claims Registration 1.0, Section 4] place of birth. nationalities String array representing the [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance end-user's nationalities. Claims Registration 1.0, Section 4] Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later in [OpenID Connect for Identity Assurance birth_family_name life for any reason. Note [eKYC_and_Identity_Assurance_WG] Claims Registration 1.0, Section 4] that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes birth_given_name the given name later in life [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance for any reason. Note that in Claims Registration 1.0, Section 4] some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in life birth_middle_name for any reason. Note that in [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance some cultures, people can Claims Registration 1.0, Section 4] have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. salutation End-user's salutation, e.g., [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance "Mr" Claims Registration 1.0, Section 4] title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4] End-user's mobile phone [OpenID Connect for Identity Assurance msisdn number formatted according to [eKYC_and_Identity_Assurance_WG] Claims Registration 1.0, Section 4] ITU-T recommendation [E.164] Stage name, religious name or any other type of also_known_as alias/pseudonym with which a [eKYC_and_Identity_Assurance_WG] [OpenID Connect for Identity Assurance person is known in a specific Claims Registration 1.0, Section 4] context besides its legal name. htm The HTTP method of the [IETF] [RFC9449, Section 4.2] request The HTTP URI of the request htu (without query and fragment [IETF] [RFC9449, Section 4.2] parts) The base64url-encoded SHA-256 ath hash of the ASCII encoding of [IETF] [RFC9449, Section 4.2] the associated access token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data Information [IETF] [RFC9795] rcdi Rich Call Data Integrity [IETF] [RFC9795] Information crn Call Reason [IETF] [RFC9795] msgi Message Integrity Information [IETF] [RFC9475] JSON object whose member _claim_names names are the Claim Names for [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] the Aggregated and Distributed Claims JSON object whose member _claim_sources names are referenced by the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.6.2] member values of the _claim_names member This claim describes the set of RDAP query purposes that rdap_allowed_purposes are available to an identity [IETF] [RFC9560, Section 3.1.5.1] that is presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" rdap_dnt_allowed request for server-side [IETF] [RFC9560, Section 3.1.5.2] tracking, logging, or recording of an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] _sd Digests of Disclosures for [IETF] [RFC9901, Section 4.2.4.1] object properties ... Digest of the Disclosure for [IETF] [RFC9901, Section 4.2.4.2] an array element Hash algorithm used to _sd_alg generate Disclosure digests [IETF] [RFC9901, Section 4.1.1] and digest over presentation sd_hash Digest of the SD-JWT to which [IETF] [RFC9901, Section 4.3] the KB-JWT is tied consumerPlmnId PLMN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumer consumerSnpnId SNPN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumer producerPlmnId PLMN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer producerSnpnId SNPN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer list of S-NSSAIs of the NF producerSnssaiList service producer which are [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] authorized for the NF service consumer List of NSIs of the NF producerNsiList service producer which are [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] authorized for the NF service consumer producerNfSetId NF Set ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer producerNfServiceSetId NF Service Set ID of the NF [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Service Producer sourceNfInstanceId NF Instance ID of the source [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] NF analyticsIdList Analytics IDs [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Contains the identifier of resOwnerId the resource owner, e.g., [_3GPP_Specifications_Manager] [3GPP TS 29.222, Clause 8.5.4.2.8] GPSI as specified in clause 5.3.2 of [3GPP TS 29.571]. cmw RATS Conceptual Message [IETF] [RFC-ietf-rats-msg-wrap-22, Sections Wrapper 3.1, 3.3] jwks JSON Web Key Set [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.1] metadata Metadata object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.2] constraints Constraints object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.3] List of Claims in this JWT crit defined by extensions to this [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.4] kind of JWT that MUST be understood and processed ref Reference [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.5] delegation Delegation [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.6] logo_uri URI referencing a logo [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.7] authority_hints Authority Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_anchor_hints Trust Anchor Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_marks Trust Marks [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_mark_issuers Trust Mark Issuers [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_mark_owners Trust Mark Owners [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] metadata_policy Metadata Policy object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] metadata_policy_crit Critical Metadata Policy [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] Operators source_endpoint Source Endpoint URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] keys Array of JWK values in a JWK [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 5.2.1] Set trust_mark_type Trust Mark Type Identifier [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 7.1] trust_chain Trust Chain [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 8.3.2] trust_anchor Trust Anchor ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 12.2.3] A JSON object containing a status reference to a status [IETF] [RFC-ietf-oauth-status-list-21, Section mechanism from the JWT Status 6.1] Mechanisms Registry. A JSON object containing status_list up-to-date status information [IETF] [RFC-ietf-oauth-status-list-21, Section on multiple tokens using the 5.1] Token Status List mechanism. ttl Time to Live [IETF] [RFC-ietf-oauth-status-list-21, Section 5.1] stpl OCSP Staple [IETF] [RFC-ietf-stir-certificates-ocsp-14] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] JWT Status Mechanisms Registration Procedure(s) Specification Required Expert(s) Unassigned Reference [RFC-ietf-oauth-status-list-21] Note Registration requests should be sent to the mailing list described in [RFC-ietf-oauth-status-list-21]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Status Mechanism Value Status Mechanism Method Description Change Controller Reference status_list A Token Status List containing up-to-date status [IETF] [RFC-ietf-oauth-status-list-21, Section 6.2] information on multiple tokens. Contact Information ID Name Contact URI Last Updated [_3GPP_Specifications_Manager] 3GPP Specifications Manager mailto:3gppContact&etsi.org 2025-08-20 [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms