RFC 7519

RFC7519 defines the JSON Web Token (JWT) specification, a compact and URL-safe format for representing claims securely between parties. JWTs are widely used for authentication, authorization, and information exchange in modern web applications and APIs.

A JWT can be digitally signed (JWS) or encrypted (JWE), enabling integrity protection, confidentiality, or both.

Definition

RFC 7519 specifies the structure, processing rules, and registered claim names for JSON Web Tokens. A JWT consists of three parts (for JWS) or five parts (for JWE), with a standardized set of claims to ensure interoperability across different systems.

Each JWT contains:

  • Header — metadata describing the token type and algorithm

  • Payload — a set of claims about an entity and token metadata

  • Signature / Authentication Tag — used to verify integrity

Registered Claim Names

RFC 7519 defines a set of registered claim names that have specific, interoperable meanings:

  • issIssuer: identifies the principal issuing the token

  • subSubject: identifies the principal that is the subject

  • audAudience: intended recipients of the token

  • expExpiration Time: time after which the token must not be accepted

  • nbfNot Before: identifies when the token becomes valid

  • iatIssued At: timestamp of issuance

  • jtiJWT ID: unique identifier for preventing replay attacks

These claims are optional unless required by the application.

Public and Private Claims

Beyond registered claims, JWT supports:

  • Public claims — custom claims registered in the IANA JWT Claims Registry

  • Private claims — application-specific claims agreed upon by communicating parties

The payload is a JSON object and can contain any key–value pairs, as long as they do not collide with registered claim names.

JWT Structure (JWS)

A signed JWT uses the JWS compact serialization format:

<header>.<payload>.<signature>

Each component is Base64URL-encoded. This is the most common form, used in OAuth 2.0, OpenID Connect, API tokens, and session systems.

JWT Structure (JWE)

An encrypted JWT uses JWE compact serialization:

<header>.<encrypted-key>.<iv>.<ciphertext>.<tag>

JWE-based JWTs provide confidentiality as well as integrity, suitable for transmitting sensitive information.

Implementation

All JWT features defined in RFC 7519 are implemented in joserfc.

Private modules

Public exports