Skip to main content

JwtClaimTypes Class

Abblix.Jwt

Abblix.Jwt

JwtClaimTypes Class

Names of the JWT claims and JOSE header parameters used by this library, including the registered claims from RFC 7519 Section 4.1, common OpenID Connect claims, and several extensions (token exchange, security event tokens, etc.). Use these constants whenever reading from or writing to a JsonWebTokenHeader or JsonWebTokenPayload by raw name.

public static class JwtClaimTypes

Inheritance System.Object → JwtClaimTypes

Fields

JwtClaimTypes.AccessTokenHash Field

The 'at_hash' claim is used for the access token hash value in OpenID Connect. It provides validation that the access token is tied to the identity token.

public const string AccessTokenHash = "at_hash";

Field Value

System.String

JwtClaimTypes.Algorithm Field

"alg" header parameter (RFC 7515 Section 4.1.1, RFC 7516 Section 4.1.1): identifies the signing or key management algorithm. REQUIRED in both JWS and JWE headers.

public const string Algorithm = "alg";

Field Value

System.String

JwtClaimTypes.Audience Field

The 'aud' (audience) claim identifies the recipients that the JWT is intended for.

public const string Audience = "aud";

Field Value

System.String

JwtClaimTypes.AuthContextClassRef Field

The 'acr' (Authentication Context Class Reference) claim provides the reference values for the authentication context class.

public const string AuthContextClassRef = "acr";

Field Value

System.String

JwtClaimTypes.AuthenticationMethodReferences Field

The 'amr' (Authentication Methods References) claim lists the authentication methods used during authentication. It typically includes values like 'pwd' (password), 'mfa' (multi-factor authentication), or other method identifiers, and can help relying parties understand the strength and nature of the authentication.

public const string AuthenticationMethodReferences = "amr";

Field Value

System.String

JwtClaimTypes.AuthenticationTime Field

The 'auth_time' claim represents the time when the authentication occurred. It is expressed as the number of seconds since Unix epoch.

public const string AuthenticationTime = "auth_time";

Field Value

System.String

JwtClaimTypes.ClientId Field

The 'client_id' claim represents the identifier for the client that requested the authentication. Often used in OAuth 2.0 and OpenID Connect flows.

public const string ClientId = "client_id";

Field Value

System.String

JwtClaimTypes.CodeHash Field

The 'c_hash' claim is used for the code hash value in OpenID Connect. It is a hash of the authorization code issued by the authorization server.

public const string CodeHash = "c_hash";

Field Value

System.String

JwtClaimTypes.ContentType Field

"cty" header parameter (RFC 7515 Section 4.1.10): the media type of the JWS payload, used when the payload itself is a nested JWT or another well-defined media type.

public const string ContentType = "cty";

Field Value

System.String

JwtClaimTypes.Critical Field

"crit" header parameter (RFC 7515 Section 4.1.11): a JSON array of JOSE header parameter names that the recipient MUST understand and process. The parameter itself MUST be understood by JWS implementations, even when no extensions are in use.

public const string Critical = "crit";

Field Value

System.String

JwtClaimTypes.DPoPAccessTokenHash Field

The 'ath' (Access Token Hash) claim binds a DPoP proof to the access token it accompanies at a protected resource (RFC 9449 §4.2). Base64url-encoded SHA-256 of the access-token ASCII bytes; present only when an access token is presented. Distinct from AccessTokenHash (OIDC at_hash in id_tokens).

public const string DPoPAccessTokenHash = "ath";

Field Value

System.String

JwtClaimTypes.DPoPHttpMethod Field

The 'htm' (HTTP Method) claim binds a DPoP proof to the HTTP method of the request (RFC 9449 §4.2). Compared byte-exact against the request method.

public const string DPoPHttpMethod = "htm";

Field Value

System.String

JwtClaimTypes.DPoPHttpUri Field

The 'htu' (HTTP URI) claim binds a DPoP proof to the request target URI (RFC 9449 §4.2). Compared after RFC 3986 §6.2 canonicalisation.

public const string DPoPHttpUri = "htu";

Field Value

System.String

JwtClaimTypes.Email Field

The 'email' claim represents the user's email address.

public const string Email = "email";

Field Value

System.String

JwtClaimTypes.EmailVerified Field

The 'email_verified' claim is a boolean that is true if the user's email address has been verified; otherwise, it is false.

public const string EmailVerified = "email_verified";

Field Value

System.String

JwtClaimTypes.EncryptionAlgorithm Field

"enc" header parameter (RFC 7516 Section 4.1.2): identifies the JWE content encryption algorithm applied to the payload.

public const string EncryptionAlgorithm = "enc";

Field Value

System.String

JwtClaimTypes.Events Field

The 'events' claim represents the events associated with the authentication.

public const string Events = "events";

Field Value

System.String

JwtClaimTypes.ExpiresAt Field

The 'exp' (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. It is expressed as the number of seconds since the Unix epoch. This claim is used to define the maximum lifespan of the JWT.

public const string ExpiresAt = "exp";

Field Value

System.String

JwtClaimTypes.GrantId Field

"grant_id" — Abblix private claim (RFC 7519 Section 4.3) identifying the authorization grant a refresh token belongs to. It binds every refresh token derived from one grant into a single lineage (a "token family" in RFC 9700 terms): a first-issued token starts a new grant, and each rotation carries the same value forward. It lets a detected replay revoke the whole family in one registry write. No IANA-registered claim captures per-grant refresh-token lineage, and this token is self-issued and self-validated, never shown to third parties. See RFC 9700 Section 4.14.2.

public const string GrantId = "grant_id";

Field Value

System.String

JwtClaimTypes.IdentityProvider Field

The 'idp' claim represents the identity provider that authenticated the end user.

public const string IdentityProvider = "idp";

Field Value

System.String

JwtClaimTypes.IssuedAt Field

The 'iat' (issued at) claim identifies the time at which the JWT was issued. It is expressed as the number of seconds since the Unix epoch. This claim can be used to determine the age of the JWT.

public const string IssuedAt = "iat";

Field Value

System.String

JwtClaimTypes.Issuer Field

The 'iss' (issuer) claim identifies the principal that issued the JWT. It is typically a URI identifying the issuer.

public const string Issuer = "iss";

Field Value

System.String

JwtClaimTypes.JsonWebKeyHeader Field

"jwk" header parameter (RFC 7515 Section 4.1.3): the public key embedded directly in the JOSE header as a JWK.

public const string JsonWebKeyHeader = "jwk";

Field Value

System.String

JwtClaimTypes.JwkSetUrl Field

"jku" header parameter (RFC 7515 Section 4.1.2): URL referring to a JWK Set whose keys the issuer claims as candidates for verifying the JWS.

public const string JwkSetUrl = "jku";

Field Value

System.String

JwtClaimTypes.JwtId Field

The 'jti' (JWT ID) claim provides a unique identifier for the JWT.

public const string JwtId = "jti";

Field Value

System.String

JwtClaimTypes.KeyId Field

"kid" header parameter (RFC 7515 Section 4.1.4, RFC 7516 Section 4.1.6): selects which key from a JWK Set produced the JWT, allowing key rotation without ambiguity.

public const string KeyId = "kid";

Field Value

System.String

JwtClaimTypes.KeyWrapAuthenticationTag Field

"tag" header parameter (RFC 7518 Section 4.7.1.2): the base64url-encoded 128-bit Authentication Tag produced when the CEK is wrapped with AES-GCM key wrapping (A128GCMKW/A192GCMKW/A256GCMKW).

public const string KeyWrapAuthenticationTag = "tag";

Field Value

System.String

JwtClaimTypes.KeyWrapInitializationVector Field

"iv" header parameter (RFC 7518 Section 4.7.1.1): the base64url-encoded 96-bit Initialization Vector used when the CEK is wrapped with AES-GCM key wrapping (A128GCMKW/A192GCMKW/A256GCMKW).

public const string KeyWrapInitializationVector = "iv";

Field Value

System.String

JwtClaimTypes.Nonce Field

The 'nonce' claim provides a string value used to associate a client session with an ID token.

public const string Nonce = "nonce";

Field Value

System.String

JwtClaimTypes.NotBefore Field

The 'nbf' (not before) claim identifies the time before which the JWT must not be accepted for processing. It is expressed as the number of seconds since the Unix epoch. This claim is used to define the earliest time at which the JWT is considered valid.

public const string NotBefore = "nbf";

Field Value

System.String

JwtClaimTypes.PhoneNumber Field

The 'phone_number' claim represents the user's phone number.

public const string PhoneNumber = "phone_number";

Field Value

System.String

JwtClaimTypes.PhoneNumberVerified Field

The 'phone_number_verified' claim is a boolean that is true if the user's phone number has been verified; otherwise, it is false.

public const string PhoneNumberVerified = "phone_number_verified";

Field Value

System.String

JwtClaimTypes.RequestedClaims Field

The 'requested_claims' claim represents the specific claims requested by the client.

public const string RequestedClaims = "requested_claims";

Field Value

System.String

JwtClaimTypes.Scope Field

The 'scope' claim represents the scope of access requested.

public const string Scope = "scope";

Field Value

System.String

JwtClaimTypes.SessionId Field

The 'sid' (session ID) claim identifies the session to which the JWT is linked. Useful for maintaining state between the client and the issuer.

public const string SessionId = "sid";

Field Value

System.String

JwtClaimTypes.Subject Field

The 'sub' (subject) claim identifies the principal that is the subject of the JWT. Typically used to represent the user or entity the token is about.

public const string Subject = "sub";

Field Value

System.String

JwtClaimTypes.Type Field

"typ" header parameter (RFC 7515 Section 4.1.9): the media type of the JWT, for example "JWT" or "at+jwt" for OAuth 2.0 access tokens (RFC 9068).

public const string Type = "typ";

Field Value

System.String

JwtClaimTypes.X509CertificateChain Field

"x5c" header parameter (RFC 7515 Section 4.1.6): an X.509 certificate chain embedded in the JOSE header as a JSON array of base64-encoded DER certificates.

public const string X509CertificateChain = "x5c";

Field Value

System.String

JwtClaimTypes.X509Sha1Thumbprint Field

"x5t" header parameter (RFC 7515 Section 4.1.7): base64url-encoded SHA-1 thumbprint of the DER encoding of the corresponding X.509 certificate. Discouraged in favour of X509Sha256Thumbprint per RFC 7515 §10.11.

public const string X509Sha1Thumbprint = "x5t";

Field Value

System.String

JwtClaimTypes.X509Sha256Thumbprint Field

"x5t#S256" header parameter (RFC 7515 Section 4.1.8): base64url-encoded SHA-256 thumbprint of the DER encoding of the corresponding X.509 certificate.

public const string X509Sha256Thumbprint = "x5t#S256";

Field Value

System.String

JwtClaimTypes.X509Url Field

"x5u" header parameter (RFC 7515 Section 4.1.5): URL referring to an X.509 public-key certificate or certificate chain corresponding to the key used for the JWS signature.

public const string X509Url = "x5u";

Field Value

System.String