JwtClaimTypes Class
Abblix.Jwt
Abblix.Jwt
JwtClaimTypes Class
Names of the JWT claims and JOSE header parameters used by this library, including the registered claims from RFC 7519 Section 4.1, common OpenID Connect claims, and several extensions (token exchange, security event tokens, etc.). Use these constants whenever reading from or writing to a JsonWebTokenHeader or JsonWebTokenPayload by raw name.
public static class JwtClaimTypes
Inheritance System.Object → JwtClaimTypes
Fields
JwtClaimTypes.AccessTokenHash Field
The 'at_hash' claim is used for the access token hash value in OpenID Connect. It provides validation that the access token is tied to the identity token.
public const string AccessTokenHash = "at_hash";
Field Value
JwtClaimTypes.Algorithm Field
"alg" header parameter (RFC 7515 Section 4.1.1, RFC 7516 Section 4.1.1): identifies the signing or key management algorithm. REQUIRED in both JWS and JWE headers.
public const string Algorithm = "alg";
Field Value
JwtClaimTypes.Audience Field
The 'aud' (audience) claim identifies the recipients that the JWT is intended for.
public const string Audience = "aud";
Field Value
JwtClaimTypes.AuthContextClassRef Field
The 'acr' (Authentication Context Class Reference) claim provides the reference values for the authentication context class.
public const string AuthContextClassRef = "acr";
Field Value
JwtClaimTypes.AuthenticationMethodReferences Field
The 'amr' (Authentication Methods References) claim lists the authentication methods used during authentication. It typically includes values like 'pwd' (password), 'mfa' (multi-factor authentication), or other method identifiers, and can help relying parties understand the strength and nature of the authentication.
public const string AuthenticationMethodReferences = "amr";
Field Value
JwtClaimTypes.AuthenticationTime Field
The 'auth_time' claim represents the time when the authentication occurred. It is expressed as the number of seconds since Unix epoch.
public const string AuthenticationTime = "auth_time";
Field Value
JwtClaimTypes.ClientId Field
The 'client_id' claim represents the identifier for the client that requested the authentication. Often used in OAuth 2.0 and OpenID Connect flows.
public const string ClientId = "client_id";
Field Value
JwtClaimTypes.CodeHash Field
The 'c_hash' claim is used for the code hash value in OpenID Connect. It is a hash of the authorization code issued by the authorization server.
public const string CodeHash = "c_hash";
Field Value
JwtClaimTypes.ContentType Field
"cty" header parameter (RFC 7515 Section 4.1.10): the media type of the JWS payload, used when the payload itself is a nested JWT or another well-defined media type.
public const string ContentType = "cty";
Field Value
JwtClaimTypes.Critical Field
"crit" header parameter (RFC 7515 Section 4.1.11): a JSON array of JOSE header parameter names that the recipient MUST understand and process. The parameter itself MUST be understood by JWS implementations, even when no extensions are in use.
public const string Critical = "crit";
Field Value
JwtClaimTypes.DPoPAccessTokenHash Field
The 'ath' (Access Token Hash) claim binds a DPoP proof to the access token it
accompanies at a protected resource (RFC 9449 §4.2). Base64url-encoded SHA-256 of
the access-token ASCII bytes; present only when an access token is presented.
Distinct from AccessTokenHash (OIDC at_hash in id_tokens).
public const string DPoPAccessTokenHash = "ath";
Field Value
JwtClaimTypes.DPoPHttpMethod Field
The 'htm' (HTTP Method) claim binds a DPoP proof to the HTTP method of the request (RFC 9449 §4.2). Compared byte-exact against the request method.
public const string DPoPHttpMethod = "htm";
Field Value
JwtClaimTypes.DPoPHttpUri Field
The 'htu' (HTTP URI) claim binds a DPoP proof to the request target URI (RFC 9449 §4.2). Compared after RFC 3986 §6.2 canonicalisation.
public const string DPoPHttpUri = "htu";
Field Value
JwtClaimTypes.Email Field
The 'email' claim represents the user's email address.
public const string Email = "email";
Field Value
JwtClaimTypes.EmailVerified Field
The 'email_verified' claim is a boolean that is true if the user's email address has been verified; otherwise, it is false.
public const string EmailVerified = "email_verified";
Field Value
JwtClaimTypes.EncryptionAlgorithm Field
"enc" header parameter (RFC 7516 Section 4.1.2): identifies the JWE content encryption algorithm applied to the payload.
public const string EncryptionAlgorithm = "enc";
Field Value
JwtClaimTypes.Events Field
The 'events' claim represents the events associated with the authentication.
public const string Events = "events";
Field Value
JwtClaimTypes.ExpiresAt Field
The 'exp' (expiration time) claim identifies the expiration time on or after which the JWT must not be accepted for processing. It is expressed as the number of seconds since the Unix epoch. This claim is used to define the maximum lifespan of the JWT.
public const string ExpiresAt = "exp";
Field Value
JwtClaimTypes.GrantId Field
"grant_id" — Abblix private claim (RFC 7519 Section 4.3) identifying the authorization grant a refresh token belongs to. It binds every refresh token derived from one grant into a single lineage (a "token family" in RFC 9700 terms): a first-issued token starts a new grant, and each rotation carries the same value forward. It lets a detected replay revoke the whole family in one registry write. No IANA-registered claim captures per-grant refresh-token lineage, and this token is self-issued and self-validated, never shown to third parties. See RFC 9700 Section 4.14.2.
public const string GrantId = "grant_id";
Field Value
JwtClaimTypes.IdentityProvider Field
The 'idp' claim represents the identity provider that authenticated the end user.
public const string IdentityProvider = "idp";
Field Value
JwtClaimTypes.IssuedAt Field
The 'iat' (issued at) claim identifies the time at which the JWT was issued. It is expressed as the number of seconds since the Unix epoch. This claim can be used to determine the age of the JWT.
public const string IssuedAt = "iat";
Field Value
JwtClaimTypes.Issuer Field
The 'iss' (issuer) claim identifies the principal that issued the JWT. It is typically a URI identifying the issuer.
public const string Issuer = "iss";
Field Value
JwtClaimTypes.JsonWebKeyHeader Field
"jwk" header parameter (RFC 7515 Section 4.1.3): the public key embedded directly in the JOSE header as a JWK.
public const string JsonWebKeyHeader = "jwk";
Field Value
JwtClaimTypes.JwkSetUrl Field
"jku" header parameter (RFC 7515 Section 4.1.2): URL referring to a JWK Set whose keys the issuer claims as candidates for verifying the JWS.
public const string JwkSetUrl = "jku";
Field Value
JwtClaimTypes.JwtId Field
The 'jti' (JWT ID) claim provides a unique identifier for the JWT.
public const string JwtId = "jti";
Field Value
JwtClaimTypes.KeyId Field
"kid" header parameter (RFC 7515 Section 4.1.4, RFC 7516 Section 4.1.6): selects which key from a JWK Set produced the JWT, allowing key rotation without ambiguity.
public const string KeyId = "kid";
Field Value
JwtClaimTypes.KeyWrapAuthenticationTag Field
"tag" header parameter (RFC 7518 Section 4.7.1.2): the base64url-encoded 128-bit Authentication Tag produced when the CEK is wrapped with AES-GCM key wrapping (A128GCMKW/A192GCMKW/A256GCMKW).
public const string KeyWrapAuthenticationTag = "tag";
Field Value
JwtClaimTypes.KeyWrapInitializationVector Field
"iv" header parameter (RFC 7518 Section 4.7.1.1): the base64url-encoded 96-bit Initialization Vector used when the CEK is wrapped with AES-GCM key wrapping (A128GCMKW/A192GCMKW/A256GCMKW).
public const string KeyWrapInitializationVector = "iv";
Field Value
JwtClaimTypes.Nonce Field
The 'nonce' claim provides a string value used to associate a client session with an ID token.
public const string Nonce = "nonce";
Field Value
JwtClaimTypes.NotBefore Field
The 'nbf' (not before) claim identifies the time before which the JWT must not be accepted for processing. It is expressed as the number of seconds since the Unix epoch. This claim is used to define the earliest time at which the JWT is considered valid.
public const string NotBefore = "nbf";
Field Value
JwtClaimTypes.PhoneNumber Field
The 'phone_number' claim represents the user's phone number.
public const string PhoneNumber = "phone_number";
Field Value
JwtClaimTypes.PhoneNumberVerified Field
The 'phone_number_verified' claim is a boolean that is true if the user's phone number has been verified; otherwise, it is false.
public const string PhoneNumberVerified = "phone_number_verified";
Field Value
JwtClaimTypes.RequestedClaims Field
The 'requested_claims' claim represents the specific claims requested by the client.
public const string RequestedClaims = "requested_claims";
Field Value
JwtClaimTypes.Scope Field
The 'scope' claim represents the scope of access requested.
public const string Scope = "scope";
Field Value
JwtClaimTypes.SessionId Field
The 'sid' (session ID) claim identifies the session to which the JWT is linked. Useful for maintaining state between the client and the issuer.
public const string SessionId = "sid";
Field Value
JwtClaimTypes.Subject Field
The 'sub' (subject) claim identifies the principal that is the subject of the JWT. Typically used to represent the user or entity the token is about.
public const string Subject = "sub";
Field Value
JwtClaimTypes.Type Field
"typ" header parameter (RFC 7515 Section 4.1.9): the media type of the JWT, for example "JWT" or "at+jwt" for OAuth 2.0 access tokens (RFC 9068).
public const string Type = "typ";
Field Value
JwtClaimTypes.X509CertificateChain Field
"x5c" header parameter (RFC 7515 Section 4.1.6): an X.509 certificate chain embedded in the JOSE header as a JSON array of base64-encoded DER certificates.
public const string X509CertificateChain = "x5c";
Field Value
JwtClaimTypes.X509Sha1Thumbprint Field
"x5t" header parameter (RFC 7515 Section 4.1.7): base64url-encoded SHA-1 thumbprint of the DER encoding of the corresponding X.509 certificate. Discouraged in favour of X509Sha256Thumbprint per RFC 7515 §10.11.
public const string X509Sha1Thumbprint = "x5t";
Field Value
JwtClaimTypes.X509Sha256Thumbprint Field
"x5t#S256" header parameter (RFC 7515 Section 4.1.8): base64url-encoded SHA-256 thumbprint of the DER encoding of the corresponding X.509 certificate.
public const string X509Sha256Thumbprint = "x5t#S256";
Field Value
JwtClaimTypes.X509Url Field
"x5u" header parameter (RFC 7515 Section 4.1.5): URL referring to an X.509 public-key certificate or certificate chain corresponding to the key used for the JWS signature.
public const string X509Url = "x5u";