RFC 7519 — JSON Web Token (JWT)

Spec: datatracker.ietf.org/doc/html/rfc7519Status: Full

RFC 7519 defines the JWT container format used for access tokens and ID tokens.

Implemented

• JWS-signed JWTs — all tokens issued by AuthHero are JWS-signed JWTs.
• Signing algorithms — RS256 (default), RS384, RS512, ES256, ES384, ES512, and HS256.
• Registered claims — iss, sub, aud, exp, iat, nbf, jti are set on issued tokens as appropriate.
• Custom claims — tenants can inject additional claims via hooks, including the onFetchUserInfo pipeline.
• Verification — incoming JWTs are verified against the tenant's JWKS, checking signature, iss, aud, and expiry.

Partial / not yet implemented

• ID token signing algorithm — ID tokens are signed with RS256 only. HS256 ID tokens (for confidential clients that prefer symmetric signing) are not supported.
• private_key_jwt client authentication — the asymmetric client assertion flow from RFC 7523 is not yet implemented.

Related AuthHero documentation

• Tokens
• RFC 7517 — JWK