Internet Assigned Numbers Authority • Domains • Protocols • Numbers • About JSON Web Token (JWT) Created 2015-01-23 Last Updated 2026-06-12 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries Included Below • JSON Web Token Claims • JWT Confirmation Methods • JWT Status Mechanisms JSON Web Token Claims Registration Procedure(s) Specification Required Expert(s) Brian Campbell, Mike Jones, Nat Sakimura, Filip Skokan Reference [RFC7519] Note Registration requests should be sent to the mailing list described in [RFC7800]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Claim Name Claim Description Change Controller Reference iss Issuer [IESG] [RFC7519, Section 4.1.1] sub Subject [IESG] [RFC7519, Section 4.1.2] aud Audience [IESG] [RFC7519, Section 4.1.3] exp Expiration Time [IESG] [RFC7519, Section 4.1.4] nbf Not Before [IESG] [RFC7519, Section 4.1.5] iat Issued At [IESG] [RFC7519, Section 4.1.6] jti JWT ID [IESG] [RFC7519, Section 4.1.7] name Full name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] given_name Given name(s) or first name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] family_name Surname(s) or last name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] middle_name Middle name(s) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] nickname Casual name [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] preferred_username Shorthand name by which the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section End-User wishes to be referred to 5.1] profile Profile page URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] picture Profile picture URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] website Web page or blog URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email Preferred e-mail address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] email_verified True if the e-mail address has [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section been verified; otherwise false 5.1] gender Gender [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] birthdate Birthday [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] zoneinfo Time zone [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] locale Locale [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number Preferred telephone number [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] phone_number_verified True if the phone number has been [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section verified; otherwise false 5.1] address Preferred postal address [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 5.1] updated_at Time the information was last [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section updated 5.1] azp Authorized party - the party to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] which the ID Token was issued Value used to associate a Client nonce session with an ID Token (MAY [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section also be used for nonce values in 2][RFC9449] other applications of JWTs) auth_time Time when the authentication [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] occurred at_hash Access Token hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] c_hash Code hash value [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 3.3.2.11] acr Authentication Context Class [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] Reference amr Authentication Methods References [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section 2] sub_jwk Public key used to check the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0, Section signature of an ID Token 7.4] cnf Confirmation [IESG] [RFC7800, Section 3.1] sip_from_tag SIP From tag header field [IESG] [RFC8055][RFC3261] parameter value sip_date SIP Date header field value [IESG] [RFC8055][RFC3261] sip_callid SIP Call-Id header field value [IESG] [RFC8055][RFC3261] sip_cseq_num SIP CSeq numeric header field [IESG] [RFC8055][RFC3261] parameter value sip_via_branch SIP Via branch header field [IESG] [RFC8055][RFC3261] parameter value orig Originating Identity String [IESG] [RFC8225, Section 5.2.1] dest Destination Identity String [IESG] [RFC8225, Section 5.2.1] mky Media Key Fingerprint String [IESG] [RFC8225, Section 5.2.2] events Security Events [IESG] [RFC8417, Section 2.2] toe Time of Event [IESG] [RFC8417, Section 2.2] txn Transaction Identifier [IESG] [RFC8417, Section 2.2] rph Resource Priority Header [IESG] [RFC8443, Section 3] Authorization sid Session ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, Section 3] vot Vector of Trust value [IESG] [RFC8485] vtm Vector of Trust trustmark URL [IESG] [RFC8485] attest Attestation level as defined in [IESG] [RFC8588] SHAKEN framework origid Originating Identifier as defined [IESG] [RFC8588] in SHAKEN framework act Actor [IESG] [RFC8693, Section 4.1] scope Scope Values [IESG] [RFC8693, Section 4.2] client_id Client Identifier [IESG] [RFC8693, Section 4.3] may_act Authorized Actor - the party that [IESG] [RFC8693, Section 4.4] is authorized to become the actor jcard jCard data [IESG] [RFC8688][RFC7095] at_use_nbr Number of API requests for which [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] the access token can be used div Diverted Target of a Call [IESG] [RFC8946] opt Original PASSporT (in Full Form) [IESG] [RFC8946] [W3C Recommendation Verifiable Verifiable Credential as Credentials Data Model 1.0 - vc specified in the W3C [IESG] Expressing verifiable information on Recommendation the Web (19 November 2019), Section 6.3.1] [W3C Recommendation Verifiable Verifiable Presentation as Credentials Data Model 1.0 - vp specified in the W3C [IESG] Expressing verifiable information on Recommendation the Web (19 November 2019), Section 6.3.1] sph SIP Priority header field [IESG] [RFC9027] ace_profile The ACE profile a token is [IETF] [RFC9200, Section 5.10] supposed to be used with. "client-nonce". A nonce previously provided to the AS by cnonce the RS via the client. Used to [IETF] [RFC9200, Section 5.10] verify token freshness when the RS cannot synchronize its clock with the AS. "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to exi implement a weaker from of token [IETF] [RFC9200, Section 5.10.3] expiration for devices that cannot synchronize their internal clocks. roles Roles [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] groups Groups [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] entitlements Entitlements [IETF] [RFC7643, Section 4.1.2][RFC9068, Section 2.2.3.1] token_introspection Token introspection response [IETF] [RFC9701, Section 5] eat_nonce Nonce [IETF] [RFC9711] ueid Universal Entity ID [IETF] [RFC9711] sueids Semipermanent UEIDs [IETF] [RFC9711] oemid Hardware OEM ID [IETF] [RFC9711] hwmodel Model identifier for hardware [IETF] [RFC9711] hwversion Hardware Version Identifier [IETF] [RFC9711] oemboot Indicates whether the software [IETF] [RFC9711] booted was OEM authorized dbgstat The status of debug facilities [IETF] [RFC9711] location The geographic location [IETF] [RFC9711] eat_profile The EAT profile followed [IETF] [RFC9711] submods The section containing submodules [IETF] [RFC9711] uptime Uptime [IETF] [RFC9711] bootcount The number of times the entity or [IETF] [RFC9711] submodule has been booted bootseed Identifies a boot cycle [IETF] [RFC9711] dloas Certifications received as [IETF] [RFC9711] Digital Letters of Approval swname The name of the software running [IETF] [RFC9711] in the entity swversion The version of software running [IETF] [RFC9711] in the entity manifests Manifests describing the software [IETF] [RFC9711] installed on the entity Measurements of the software, measurements memory configuration, and such on [IETF] [RFC9711] the entity measres The results of comparing software [IETF] [RFC9711] measurements to reference values intuse The intended use of the EAT [IETF] [RFC9711] cdniv CDNI Claim Set Version [IETF] [RFC9246, Section 2.1.8] cdnicrit CDNI Critical Claims Set [IETF] [RFC9246, Section 2.1.9] cdniip CDNI IP Address [IETF] [RFC9246, Section 2.1.10] cdniuc CDNI URI Container [IETF] [RFC9246, Section 2.1.11] cdniets CDNI Expiration Time Setting for [IETF] [RFC9246, Section 2.1.12] Signed Token Renewal cdnistt CDNI Signed Token Transport [IETF] [RFC9246, Section 2.1.13] Method for Signed Token Renewal cdnistd CDNI Signed Token Depth [IETF] [RFC9246, Section 2.1.14] sig_val_claims Signature Validation Token [IETF] [RFC9321, Section 3.2.3] The claim authorization_details contains a JSON array of JSON objects representing the rights authorization_details of the access token. Each JSON [IETF] [RFC9396, Section 9.1] object contains the data to specify the authorization requirements for a certain type of resource. A structured claim containing verified_claims end-user claims and the details [eKYC_and_Identity_Assurance_WG] [OpenID Identity Assurance Schema of how those end-user claims were Definition 1.0, Section 5] assured. A structured claim representing [OpenID Connect for Identity place_of_birth the end-user's place of birth. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] String array representing the [OpenID Connect for Identity nationalities end-user's nationalities. [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] Family name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the family name(s) later [OpenID Connect for Identity birth_family_name in life for any reason. Note that [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, in some cultures, people can have Section 4] multiple family names or no family name; all can be present, with the names being separated by space characters. Given name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who [OpenID Connect for Identity birth_given_name changes the given name later in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, life for any reason. Note that in Section 4] some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. Middle name(s) someone has when they were born, or at least from the time they were a child. This term can be used by a person who changes the middle name later in [OpenID Connect for Identity birth_middle_name life for any reason. Note that in [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, some cultures, people can have Section 4] multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. [OpenID Connect for Identity salutation End-user's salutation, e.g., "Mr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] [OpenID Connect for Identity title End-user's title, e.g., "Dr" [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, Section 4] End-user's mobile phone number [OpenID Connect for Identity msisdn formatted according to ITU-T [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, recommendation [E.164] Section 4] Stage name, religious name or any other type of alias/pseudonym [OpenID Connect for Identity also_known_as with which a person is known in a [eKYC_and_Identity_Assurance_WG] Assurance Claims Registration 1.0, specific context besides its Section 4] legal name. htm The HTTP method of the request [IETF] [RFC9449, Section 4.2] The HTTP URI of the request htu (without query and fragment [IETF] [RFC9449, Section 4.2] parts) The base64url-encoded SHA-256 ath hash of the ASCII encoding of the [IETF] [RFC9449, Section 4.2] associated access token's value atc Authority Token Challenge [IETF] [RFC9447] sub_id Subject Identifier [IETF] [RFC9493, Section 4.1] rcd Rich Call Data Information [IETF] [RFC9795] rcdi Rich Call Data Integrity [IETF] [RFC9795] Information crn Call Reason [IETF] [RFC9795] msgi Message Integrity Information [IETF] [RFC9475] JSON object whose member names [OpenID Connect Core 1.0, Section _claim_names are the Claim Names for the [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] Aggregated and Distributed Claims JSON object whose member names [OpenID Connect Core 1.0, Section _claim_sources are referenced by the member [OpenID_Foundation_Artifact_Binding_Working_Group] 5.6.2] values of the _claim_names member This claim describes the set of RDAP query purposes that are rdap_allowed_purposes available to an identity that is [IETF] [RFC9560, Section 3.1.5.1] presented for access to a protected RDAP resource. This claim contains a JSON boolean literal that describes a "do not track" request for rdap_dnt_allowed server-side tracking, logging, or [IETF] [RFC9560, Section 3.1.5.2] recording of an identity that is presented for access to a protected RDAP resource. geohash Geohash String or Array [Consumer_Technology_Association] [Fast and Readable Geographical Hashing (CTA-5009)] _sd Digests of Disclosures for object [IETF] [RFC9901, Section 4.2.4.1] properties ... Digest of the Disclosure for an [IETF] [RFC9901, Section 4.2.4.2] array element Hash algorithm used to generate _sd_alg Disclosure digests and digest [IETF] [RFC9901, Section 4.1.1] over presentation sd_hash Digest of the SD-JWT to which the [IETF] [RFC9901, Section 4.3] KB-JWT is tied consumerPlmnId PLMN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumer consumerSnpnId SNPN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] consumer producerPlmnId PLMN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer producerSnpnId SNPN ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer list of S-NSSAIs of the NF producerSnssaiList service producer which are [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] authorized for the NF service consumer List of NSIs of the NF service producerNsiList producer which are authorized for [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] the NF service consumer producerNfSetId NF Set ID of the NF service [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] producer producerNfServiceSetId NF Service Set ID of the NF [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Service Producer sourceNfInstanceId NF Instance ID of the source NF [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] analyticsIdList Analytics IDs [_3GPP_Specifications_Manager] [3GPP TS 29.510, Clause 6.3.5.2.4] Contains the identifier of the resOwnerId resource owner, e.g., GPSI as [_3GPP_Specifications_Manager] [3GPP TS 29.222, Clause 8.5.4.2.8] specified in clause 5.3.2 of [3GPP TS 29.571]. cmw A RATS Conceptual Message Wrapper [IETF] [RFC-ietf-rats-msg-wrap-22, Sections 3.1, 3.3] jwks JSON Web Key Set [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.1] metadata Metadata object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.2] constraints Constraints object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.3] List of Claims in this JWT crit defined by extensions to this [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section kind of JWT that MUST be 13.4] understood and processed ref Reference [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.5] delegation Delegation [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.6] logo_uri URI referencing a logo [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 13.7] authority_hints Authority Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_anchor_hints Trust Anchor Hints [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_marks Trust Marks [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_mark_issuers Trust Mark Issuers [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] trust_mark_owners Trust Mark Owners [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.2] metadata_policy Metadata Policy object [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] metadata_policy_crit Critical Metadata Policy [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] Operators source_endpoint Source Endpoint URL [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 3.3] keys Array of JWK values in a JWK Set [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 5.2.1] trust_mark_type Trust Mark Type Identifier [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 7.1] trust_chain Trust Chain [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 8.3.2] trust_anchor Trust Anchor ID [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Federation 1.0, Section 12.2.3] A JSON object containing a status reference to a status mechanism [IETF] [RFC-ietf-oauth-status-list-20, from the JWT Status Mechanisms Section 6.1] Registry. A JSON object containing status_list up-to-date status information on [IETF] [RFC-ietf-oauth-status-list-20, multiple tokens using the Token Section 5.1] Status List mechanism. ttl Time to Live [IETF] [RFC-ietf-oauth-status-list-20, Section 5.1] JWT Confirmation Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Hannes Tschofenig Reference [RFC7800] Note Registration requests should be sent to the mailing list described in [RFC7800]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Confirmation Method Value Confirmation Method Description Change Controller Reference jwk JSON Web Key Representing Public Key [IESG] [RFC7800, Section 3.2] jwe Encrypted JSON Web Key [IESG] [RFC7800, Section 3.3] kid Key Identifier [IESG] [RFC7800, Section 3.4] jku JWK Set URL [IESG] [RFC7800, Section 3.5] x5t#S256 X.509 Certificate SHA-256 Thumbprint [IESG] [RFC8705, Section 3.1] osc OSCORE_Input_Material carrying the parameters for using OSCORE per-message [IETF] [RFC9203, Section 3.2.1] security with implicit key confirmation jkt JWK SHA-256 Thumbprint [IETF] [RFC9449, Section 6] JWT Status Mechanisms Registration Procedure(s) Specification Required Expert(s) Unassigned Reference [RFC-ietf-oauth-status-list-20] Note Registration requests should be sent to the mailing list described in [RFC-ietf-oauth-status-list-20]. If they approve, designated experts should notify IANA within three weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Available Formats [IMG] CSV Status Mechanism Value Status Mechanism Method Description Change Controller Reference status_list A Token Status List containing up-to-date status [IETF] [RFC-ietf-oauth-status-list-20, Section 6.2] information on multiple tokens. Contact Information ID Name Contact URI Last Updated [_3GPP_Specifications_Manager] 3GPP Specifications Manager mailto:3gppContact&etsi.org 2025-08-20 [Consumer_Technology_Association] Consumer Technology Association mailto:standards&cta.tech 2024-08-02 [eKYC_and_Identity_Assurance_WG] eKYC and Identity Assurance mailto:openid-specs-ekyc-ida&lists.openid.net 2024-08-02 Working Group [ETSI] ETSI mailto:pnns&etsi.org 2024-08-02 [IESG] IESG mailto:iesg&ietf.org [IETF] IETF mailto:iesg&ietf.org [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact Binding mailto:openid-specs-ab&lists.openid.net 2024-08-02 Working Group Licensing Terms