RFC 7519 — JSON Web Token (JWT)

Spec: datatracker.ietf.org/doc/html/rfc7519Status: Full

RFC 7519 defines the JWT container format used for access tokens and ID tokens.

Implemented

JWS-signed JWTs — all tokens issued by AuthHero are JWS-signed JWTs.
Issued-token signing — RS256 (default) for RSA jwt_signing keys; ES256, ES384, ES512 for EC keys (P-256, P-384, P-521 respectively). The algorithm is derived from the key material at issue time.
Verified-assertion algorithms — incoming request objects (RFC 9101) and client_assertion JWTs (RFC 7523) are accepted with RS256/384/512, ES256/384/512, and HS256/384/512. alg=none is rejected.
Registered claims — iss, sub, aud, exp, iat, nbf, jti are set on issued tokens as appropriate.
Custom claims — tenants can inject additional claims via hooks, including the onFetchUserInfo pipeline.
Verification — incoming JWTs are verified against the tenant's JWKS, checking signature, iss, aud, and expiry.

PS256 / PS384 / PS512 (RSASSA-PSS) — not yet supported for issued or verified tokens; will require an explicit per-key alg field.
HS256 ID tokens — ID tokens are signed with the tenant's asymmetric jwt_signing key; symmetric ID tokens (signed with client_secret) are not issued.
Encrypted JWTs (JWE) — id_token_encrypted_response_alg and userinfo_encrypted_response_alg are not supported.