Just Web Token

Earliest timestamp after which the token must be rejected as expired. Use of this claim is recommended in order to minimize impact of signing key being compromised.

Timestamp at which token was issued. Useful to determine the token age and for debugging purposes.

“Not before” timestamp restricting the minimum clock time required to accept the token (i.e., opposite of the exp claim).

Principal that has issued this token. Apps may use the claim to decide whether the issuer is trustworthy.

Describes entity that the claims apply to, generally by using its ID which is globally unique or unique to the issuing system. In the context of OAuth 2.0, the subject is the end user.

Identifies intended recipient(s) of the token. The token verifier must identify with a value in this claim; otherwise, token verification must fail.

Unique token identifier chosen using a collision-resistant algorithm (e.g., pseudo-randomly with sufficient entropy). Primarily useful to prevent replay attacks; with this claim, produced tokens are guaranteed to be unqiue.

Full name of the end user this token is issued to, potentially inlcuding titles and affixes if appropriate.

Given name(s) of the user this token is issued to.

Last name(s) of the user this token is issued to.

Middle name(s) of the user this token is issued to.

Casual name of the user this token is issued to. Semantically similar to the given_name claim.

Name identifying the user for the OAuth 2.0 client. This is usually a unique human-readable identifier of the user, but the verifier must not rely on this claim being unique.

Link to the user’s profile page hosted by the issuer

Link to the user’s profile picture or photo hosted by the issuer

Link to the user’s website, such as a blog

User’s preferred email address

Information on whether the issuer has verified the user’s email address provided in the email claim.

User’s date of birth

User’s preferred time zone

User’s preferred locale

User’s preferred phone number

Information on whether the issuer has verified the user’s phone number provided in the phone_number claim.

User’s preferred postal address

Timestamp when the user’s info was last updated

Timestamp when the user authenticated with the issuer

Unique value included into the token to prevent replay attacks. Similar to the jti claim, but can be specified by the authentication request when used within the OAuth 2.0 framework.

Reference to the method used to authenticate the user, or the class of this method. Classes may be represented by the applicable authentication level of assurance defined in the ISO/IEC 29115 standard. For example, level 2 (substantial) corresponds to multi-factor authentication, while level 0 is the least reliable (e.g., via a long-term authentication cookie).

References for the method(s) used to authenticate the user. As an example, this claim may signal that a password and an OTP scheme were used.

Party to which the token was issued. Fulfils almost the same role as the aud claim and is only really necessary if the audience claim has a single value, which is different from the authorized party.

Party to whom the subject has delegated authority to act on behalf of them. This claim can be used in scenarios such as tech support performing actions on behalf of a user.

Information about a party that is authorized to act on behalf of the subject. This can be used during OAuth 2.0 token exchange to determine whether the potential delegatee is valid, and to produce a token with the act claim as a result.

Collection of OAuth 2.0 scopes that allow restricting valid uses of the token. As an example, scopes can be used to restrict token to specific app(s) or service(s) within the verifier system.

ID of the OAuth 2.0 client that has requested the token