oauth2.dev

htm

IETF

Registry Context

`htm` is the DPoP proof claim containing the HTTP method of the request to which the proof is attached.

Technical Summary

In a DPoP proof JWT, `htm` identifies the HTTP method of the attached request. The payload must contain this claim, and the receiving server must verify that it matches the current request's HTTP method.

When Used

Used in DPoP proof JWTs attached to HTTP requests.

Normative Requirements

Servers

MUST
2
  1. RFC 9449 - Section 4.3

    ensure that the JWT contains all claims required by Section 4.2, including `htm`.

    Condition: when validating a DPoP proof

    To validate a DPoP proof, the receiving server MUST ensure ... All required claims per Section 4.2 are contained in the JWT.

  2. RFC 9449 - Section 4.3

    ensure that the `htm` claim matches the HTTP method of the current request.

    Condition: when validating a DPoP proof

    To validate a DPoP proof, the receiving server MUST ensure ... The htm claim matches the HTTP method of the current request.

DPoP proof JWT payload

MUST
1
  1. RFC 9449 - Section 4.2

    contain the `htm` claim.

    The payload of a DPoP proof MUST contain at least the following claims: ... htm

Validation Guidance

error

Reject a DPoP proof if its payload does not include `htm`.

error

Reject a DPoP proof if `htm` does not match the HTTP method of the current request.

Reference

Details

Entry Id
htm
Claim Name
htm
Claim Description
The HTTP method of the request
Change Controller
IETF
Reference
RFC9449 - Section 4.2