JSON Web Token (JWT)
JSON Web Token (JWT)
Created
2015-01-23
2026-02-23
Available Formats
XML
HTML
Plain text
Registries Included Below
JSON Web Token Claims
JWT Confirmation Methods
JSON Web Token Claims
Registration Procedure(s)
Specification Required
Expert(s)
Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan
Reference
RFC7519
Note
Registration requests should be sent to the mailing list described in
RFC7519
]. If approved, designated experts should notify IANA within
three weeks. For assistance, please contact iana@iana.org.
Available Formats
CSV
Claim Name
Claim Description
Change Controller
Reference
iss
Issuer
IESG
RFC7519, Section 4.1.1
sub
Subject
IESG
RFC7519, Section 4.1.2
aud
Audience
IESG
RFC7519, Section 4.1.3
exp
Expiration Time
IESG
RFC7519, Section 4.1.4
nbf
Not Before
IESG
RFC7519, Section 4.1.5
iat
Issued At
IESG
RFC7519, Section 4.1.6
jti
JWT ID
IESG
RFC7519, Section 4.1.7
name
Full name
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
given_name
Given name(s) or first name(s)
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
family_name
Surname(s) or last name(s)
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
middle_name
Middle name(s)
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
nickname
Casual name
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
preferred_username
Shorthand name by which the End-User wishes to be referred to
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
profile
Profile page URL
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
picture
Profile picture URL
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
website
Web page or blog URL
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
email
Preferred e-mail address
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
email_verified
True if the e-mail address has been verified; otherwise false
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
gender
Gender
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
birthdate
Birthday
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
zoneinfo
Time zone
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
locale
Locale
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
phone_number
Preferred telephone number
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
phone_number_verified
True if the phone number has been verified; otherwise false
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
address
Preferred postal address
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
updated_at
Time the information was last updated
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.1
azp
Authorized party - the party to which the ID Token was issued
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
nonce
Value used to associate a Client session with an ID Token (MAY also be used for nonce values in other applications of JWTs)
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
][
RFC9449
auth_time
Time when the authentication occurred
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
at_hash
Access Token hash value
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
c_hash
Code hash value
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 3.3.2.11
acr
Authentication Context Class Reference
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
amr
Authentication Methods References
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 2
sub_jwk
Public key used to check the signature of an ID Token
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 7.4
cnf
Confirmation
IESG
RFC7800, Section 3.1
sip_from_tag
SIP From tag header field parameter value
IESG
RFC8055
][
RFC3261
sip_date
SIP Date header field value
IESG
RFC8055
][
RFC3261
sip_callid
SIP Call-Id header field value
IESG
RFC8055
][
RFC3261
sip_cseq_num
SIP CSeq numeric header field parameter value
IESG
RFC8055
][
RFC3261
sip_via_branch
SIP Via branch header field parameter value
IESG
RFC8055
][
RFC3261
orig
Originating Identity String
IESG
RFC8225, Section 5.2.1
dest
Destination Identity String
IESG
RFC8225, Section 5.2.1
mky
Media Key Fingerprint String
IESG
RFC8225, Section 5.2.2
events
Security Events
IESG
RFC8417, Section 2.2
toe
Time of Event
IESG
RFC8417, Section 2.2
txn
Transaction Identifier
IESG
RFC8417, Section 2.2
rph
Resource Priority Header Authorization
IESG
RFC8443, Section 3
sid
Session ID
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Front-Channel Logout 1.0, Section 3
vot
Vector of Trust value
IESG
RFC8485
vtm
Vector of Trust trustmark URL
IESG
RFC8485
attest
Attestation level as defined in SHAKEN framework
IESG
RFC8588
origid
Originating Identifier as defined in SHAKEN framework
IESG
RFC8588
act
Actor
IESG
RFC8693, Section 4.1
scope
Scope Values
IESG
RFC8693, Section 4.2
client_id
Client Identifier
IESG
RFC8693, Section 4.3
may_act
Authorized Actor - the party that is authorized
to become the actor
IESG
RFC8693, Section 4.4
jcard
jCard data
IESG
RFC8688
][
RFC7095
at_use_nbr
Number of API requests for which the access token can be used
ETSI
ETSI GS NFV-SEC 022 V2.7.1
div
Diverted Target of a Call
IESG
RFC8946
opt
Original PASSporT (in Full Form)
IESG
RFC8946
vc
Verifiable Credential as specified in the W3C Recommendation
IESG
W3C Recommendation
Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web (19 November 2019), Section 6.3.1
vp
Verifiable Presentation as specified in the W3C Recommendation
IESG
W3C Recommendation
Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web (19 November 2019), Section 6.3.1
sph
SIP Priority header field
IESG
RFC9027
ace_profile
The ACE profile a token is supposed to be used
with.
IETF
RFC9200, Section 5.10
cnonce
"client-nonce". A nonce previously provided to
the AS by the RS via the client. Used to verify token freshness
when the RS cannot synchronize its clock with the AS.
IETF
RFC9200, Section 5.10
exi
"Expires in". Lifetime of the token in seconds
from the time the RS first sees it. Used to implement a weaker
from of token expiration for devices that cannot synchronize their
internal clocks.
IETF
RFC9200, Section 5.10.3
roles
Roles
IETF
RFC7643, Section 4.1.2
][
RFC9068, Section 2.2.3.1
groups
Groups
IETF
RFC7643, Section 4.1.2
][
RFC9068, Section 2.2.3.1
entitlements
Entitlements
IETF
RFC7643, Section 4.1.2
][
RFC9068, Section 2.2.3.1
token_introspection
Token introspection response
IETF
RFC9701, Section 5
eat_nonce
Nonce
IETF
RFC9711
ueid
Universal Entity ID
IETF
RFC9711
sueids
Semipermanent UEIDs
IETF
RFC9711
oemid
Hardware OEM ID
IETF
RFC9711
hwmodel
Model identifier for hardware
IETF
RFC9711
hwversion
Hardware Version Identifier
IETF
RFC9711
oemboot
Indicates whether the software booted was OEM authorized
IETF
RFC9711
dbgstat
The status of debug facilities
IETF
RFC9711
location
The geographic location
IETF
RFC9711
eat_profile
The EAT profile followed
IETF
RFC9711
submods
The section containing submodules
IETF
RFC9711
uptime
Uptime
IETF
RFC9711
bootcount
The number of times the entity or submodule has been booted
IETF
RFC9711
bootseed
Identifies a boot cycle
IETF
RFC9711
dloas
Certifications received as Digital Letters of Approval
IETF
RFC9711
swname
The name of the software running in the entity
IETF
RFC9711
swversion
The version of software running in the entity
IETF
RFC9711
manifests
Manifests describing the software installed on the entity
IETF
RFC9711
measurements
Measurements of the software, memory configuration, and such on the entity
IETF
RFC9711
measres
The results of comparing software measurements to reference values
IETF
RFC9711
intuse
The intended use of the EAT
IETF
RFC9711
cdniv
CDNI Claim Set Version
IETF
RFC9246, Section 2.1.8
cdnicrit
CDNI Critical Claims Set
IETF
RFC9246, Section 2.1.9
cdniip
CDNI IP Address
IETF
RFC9246, Section 2.1.10
cdniuc
CDNI URI Container
IETF
RFC9246, Section 2.1.11
cdniets
CDNI Expiration Time Setting for Signed Token Renewal
IETF
RFC9246, Section 2.1.12
cdnistt
CDNI Signed Token Transport Method for Signed Token Renewal
IETF
RFC9246, Section 2.1.13
cdnistd
CDNI Signed Token Depth
IETF
RFC9246, Section 2.1.14
sig_val_claims
Signature Validation Token
IETF
RFC9321, Section 3.2.3
authorization_details
The claim authorization_details contains a JSON
array of JSON objects representing the rights of the access
token. Each JSON object contains the data to specify the
authorization requirements for a certain type of resource.
IETF
RFC9396, Section 9.1
verified_claims
A structured claim containing end-user claims and the details of how those end-user
claims were assured.
eKYC_and_Identity_Assurance_WG
OpenID Identity Assurance Schema Definition 1.0, Section 5
place_of_birth
A structured claim representing the end-user's place of birth.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
nationalities
String array representing the end-user's nationalities.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
birth_family_name
Family name(s) someone has when they were born, or at least from the time they
were a child. This term can be used by a person who changes the family name(s) later in life
for any reason. Note that in some cultures, people can have multiple family names or no
family name; all can be present, with the names being separated by space characters.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
birth_given_name
Given name(s) someone has when they were born, or at least from the time they
were a child. This term can be used by a person who changes the given name later in life
for any reason. Note that in some cultures, people can have multiple given names; all can
be present, with the names being separated by space characters.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
birth_middle_name
Middle name(s) someone has when they were born, or at least from the time they
were a child. This term can be used by a person who changes the middle name later in life
for any reason. Note that in some cultures, people can have multiple middle names; all can
be present, with the names being separated by space characters. Also note that in some
cultures, middle names are not used.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
salutation
End-user's salutation, e.g., "Mr"
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
title
End-user's title, e.g., "Dr"
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
msisdn
End-user's mobile phone number formatted according to ITU-T recommendation [
E.164
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
also_known_as
Stage name, religious name or any other type of alias/pseudonym with which a person is known in a specific context besides its legal name.
eKYC_and_Identity_Assurance_WG
OpenID Connect for Identity Assurance Claims Registration 1.0, Section 4
htm
The HTTP method of the request
IETF
RFC9449, Section 4.2
htu
The HTTP URI of the request (without query and fragment parts)
IETF
RFC9449, Section 4.2
ath
The base64url-encoded SHA-256 hash of the ASCII encoding of the associated access token's value
IETF
RFC9449, Section 4.2
atc
Authority Token Challenge
IETF
RFC9447
sub_id
Subject Identifier
IETF
RFC9493, Section 4.1
rcd
Rich Call Data Information
IETF
RFC9795
rcdi
Rich Call Data Integrity Information
IETF
RFC9795
crn
Call Reason
IETF
RFC9795
msgi
Message Integrity Information
IETF
RFC9475
_claim_names
JSON object whose member names are the Claim Names for the Aggregated and Distributed Claims
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.6.2
_claim_sources
JSON object whose member names are referenced by the member values of the _claim_names member
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Connect Core 1.0, Section 5.6.2
rdap_allowed_purposes
This claim describes the set of RDAP query purposes that are available to an identity that is
presented for access to a protected RDAP resource.
IETF
RFC9560, Section 3.1.5.1
rdap_dnt_allowed
This claim contains a JSON boolean literal that describes a "do not track" request for server-side tracking,
logging, or recording of an identity that is presented for access to a protected RDAP resource.
IETF
RFC9560, Section 3.1.5.2
geohash
Geohash String or Array
Consumer_Technology_Association
Fast and Readable Geographical Hashing (CTA-5009)
_sd
Digests of Disclosures for object properties
IETF
RFC9901, Section 4.2.4.1
...
Digest of the Disclosure for an array element
IETF
RFC9901, Section 4.2.4.2
_sd_alg
Hash algorithm used to generate Disclosure digests and digest over presentation
IETF
RFC9901, Section 4.1.1
sd_hash
Digest of the SD-JWT to which the KB-JWT is tied
IETF
RFC9901, Section 4.3
consumerPlmnId
PLMN ID of the NF service consumer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
consumerSnpnId
SNPN ID of the NF service consumer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerPlmnId
PLMN ID of the NF service producer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerSnpnId
SNPN ID of the NF service producer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerSnssaiList
list of S-NSSAIs of the NF service producer which are authorized for the NF service consumer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerNsiList
List of NSIs of the NF service producer which are authorized for the NF service consumer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerNfSetId
NF Set ID of the NF service producer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
producerNfServiceSetId
NF Service Set ID of the NF Service Producer
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
sourceNfInstanceId
NF Instance ID of the source NF
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
analyticsIdList
Analytics IDs
_3GPP_Specifications_Manager
3GPP TS 29.510, Clause 6.3.5.2.4
resOwnerId
Contains the identifier of the resource owner, e.g., GPSI as specified in clause 5.3.2 of [
3GPP TS 29.571
].
_3GPP_Specifications_Manager
3GPP TS 29.222, Clause 8.5.4.2.8
cmw
A RATS Conceptual Message Wrapper
IETF
RFC-ietf-rats-msg-wrap-22, Sections 3.1, 3.3
jwks
JSON Web Key Set
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.1
metadata
Metadata object
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.2
constraints
Constraints object
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.3
crit
List of Claims in this JWT defined by extensions to this kind of JWT that MUST be understood and processed
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.4
ref
Reference
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.5
delegation
Delegation
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.6
logo_uri
URI referencing a logo
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 13.7
authority_hints
Authority Hints
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.2
trust_anchor_hints
Trust Anchor Hints
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.2
trust_marks
Trust Marks
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.2
trust_mark_issuers
Trust Mark Issuers
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.2
trust_mark_owners
Trust Mark Owners
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.2
metadata_policy
Metadata Policy object
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.3
metadata_policy_crit
Critical Metadata Policy Operators
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.3
source_endpoint
Source Endpoint URL
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 3.3
keys
Array of JWK values in a JWK Set
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 5.2.1
trust_mark_type
Trust Mark Type Identifier
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 7.1
trust_chain
Trust Chain
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 8.3.2
trust_anchor
Trust Anchor ID
OpenID_Foundation_Artifact_Binding_Working_Group
OpenID Federation 1.0, Section 12.2.3
JWT Confirmation Methods
Registration Procedure(s)
Specification Required
Expert(s)
John Bradley, Hannes Tschofenig
Reference
RFC7800
Note
Registration requests should be sent to the mailing list described in
RFC7800
]. If approved, designated experts should notify IANA within
three weeks. For assistance, please contact iana@iana.org.
Available Formats
CSV
Confirmation Method Value
Confirmation Method Description
Change Controller
Reference
jwk
JSON Web Key Representing Public Key
IESG
RFC7800, Section 3.2
jwe
Encrypted JSON Web Key
IESG
RFC7800, Section 3.3
kid
Key Identifier
IESG
RFC7800, Section 3.4
jku
JWK Set URL
IESG
RFC7800, Section 3.5
x5t#S256
X.509 Certificate SHA-256 Thumbprint
IESG
RFC8705, Section 3.1
osc
OSCORE_Input_Material carrying
the parameters for using OSCORE per-message security with implicit
key confirmation
IETF
RFC9203, Section 3.2.1
jkt
JWK SHA-256 Thumbprint
IETF
RFC9449, Section 6
Contact Information
ID
Name
Contact URI
[_3GPP_Specifications_Manager]
3GPP Specifications Manager
mailto:3gppContact&etsi.org
2025-08-20
[Consumer_Technology_Association]
Consumer Technology Association
mailto:standards&cta.tech
2024-08-02
[eKYC_and_Identity_Assurance_WG]
eKYC and Identity Assurance Working Group
mailto:openid-specs-ekyc-ida&lists.openid.net
2024-08-02
[ETSI]
ETSI
mailto:pnns&etsi.org
2024-08-02
[IESG]
IESG
mailto:iesg&ietf.org
[IETF]
IETF
mailto:iesg&ietf.org
[OpenID_Foundation_Artifact_Binding_Working_Group]
OpenID Foundation Artifact Binding Working Group
mailto:openid-specs-ab&lists.openid.net
2024-08-02
US