act
Registry Context
The `act` claim identifies the current actor in a JWT that expresses delegation. For access control, a token consumer must consider only the token's top-level claims and the current actor; nested `act` claims identify prior actors and are informational only.
Technical Summary
The `act` claim value is a JSON object containing claims that identify and may provide additional information about the actor. The outermost `act` identifies the current actor, while nested `act` claims record prior actors in a delegation chain.
When Used
Used in a JWT to express that delegation has occurred and identify the acting party to whom authority was delegated. It can also be included as a top-level member of an OAuth token introspection response with the same semantics and format.
Normative Requirements
consumer of a token
RFC 8693 - Section 4.1
consider only the token's top-level claims and the party identified as the current actor by the `act` claim.
Condition: when applying access control policy
MUST only consider the token's top-level claims and the party identified as the current actor
Validation Guidance
When applying access control policy, use only the token's top-level claims and the current actor identified by the outermost `act` claim; do not consider prior actors in nested `act` claims.
If `act` is present, verify that its value is a JSON object containing claims that identify the actor.
Do not interpret non-identity claims such as `exp`, `nbf`, or `aud` within an `act` object as affecting the containing JWT's validity.
Security Notes
RFC 8693 - Section 4.1
Prior actors identified by nested `act` claims are informational only and are not considered in access control decisions.
RFC 8693 - Section 4.1
Claims within `act` pertain only to actor identity. Non-identity claims such as `exp`, `nbf`, and `aud` are not meaningful within `act` and are not used.
Reference
Details
- Entry Id
act- Claim Name
act- Claim Description
Actor- Change Controller
IESG- Reference
RFC8693 - Section 4.1