OAuth 2.0 Bearer Flow JWT Claims
This table doesn’t apply to legacy named credentials.
Claim Name | Description | Notes |
---|---|---|
alg | The algorithm used to sign the token | Default is RS256, an asymmetric algorithm that uses a private/public pair. Added automatically on external credential creation. Not editable. |
aud | (Audience) Recipient for whom the token is intended. | Added when claims are edited. Editable through the JWT Claims panel on the editable credential |
exp | (Expiration) Time after which the token expires. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Set on external credential creation through the Expiration field. If no expiration number is provided, a default of 2 minutes in the future is set. |
iat | (Issued At Time): Time at which the token was issued. Can be used to determine age of the token. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Added automatically on external credential creation. Not editable. |
iss | Issuer of the token. | Added automatically on external credential creation. Editable through the JWT Claims panel on the editable credential. |
nbf | (Not Before Time) Time before which the token must not be accepted for processing. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Added automatically on external credential creation. Not editable |
sub | Subject of the token (the user). The subject is a string when the identity type is named principal, and it’s a formula when the identity type is per user. | Added when claims are edited. Editable through the JWT Claims panel on the editable credential. |
typ | (Type) The media type of the token. | Added automatically on external credential creation. The value is set to 'JWT'. Not editable. |