OAuth 2.0 Bearer Flow JWT Claims

This table doesn’t apply to legacy named credentials.

Claim Name	Description	Notes
alg	The algorithm used to sign the token	Default is RS256, an asymmetric algorithm that uses a private/public pair. Added automatically on external credential creation. Not editable.
aud	(Audience) Recipient for whom the token is intended.	Added when claims are edited. Editable through the JWT Claims panel on the editable credential
exp	(Expiration) Time after which the token expires. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.	Set on external credential creation through the Expiration field. If no expiration number is provided, a default of 2 minutes in the future is set.
iat	(Issued At Time): Time at which the token was issued. Can be used to determine age of the token. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.	Added automatically on external credential creation. Not editable.
iss	Issuer of the token.	Added automatically on external credential creation. Editable through the JWT Claims panel on the editable credential.
nbf	(Not Before Time) Time before which the token must not be accepted for processing. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.	Added automatically on external credential creation. Not editable
sub	Subject of the token (the user). The subject is a string when the identity type is named principal, and it’s a formula when the identity type is per user.	Added when claims are edited. Editable through the JWT Claims panel on the editable credential.
typ	(Type) The media type of the token.	Added automatically on external credential creation. The value is set to 'JWT'. Not editable.