oauth2.dev

jti

IESG

Registry Context

The jti claim is an optional, case-sensitive string that uniquely identifies a JWT. Its value must be assigned so accidental collisions are negligibly likely, including across issuers when an application uses multiple issuers.

Technical Summary

RFC 7519 Section 4.1.7 defines jti as the JWT ID claim. When used, its value must have a negligible probability of accidental collision with another data object. Applications using multiple issuers must also prevent collisions between issuer-generated values.

When Used

When a JWT needs an identifier, including to help prevent replay.

Normative Requirements

Unspecified actor

OPTIONAL
1
  1. RFC 7519 - Section 4.1.7

    use the jti claim.

    Use of this claim is OPTIONAL.

application

MUST
1
  1. RFC 7519 - Section 4.1.7

    prevent collisions among values produced by different issuers.

    Condition: if the application uses multiple issuers

    collisions MUST be prevented among values produced by different issuers as well

identifier assigner

MUST
1
  1. RFC 7519 - Section 4.1.7

    assign the identifier value so there is a negligible probability that the same value will be accidentally assigned to a different data object.

    Condition: when assigning a jti value

    The identifier value MUST be assigned ... [with] a negligible probability

Validation Guidance

info

Do not require jti to be present in every JWT.

error

When assigning a jti value, use an identifier space and generation method that make accidental duplicate assignment negligibly likely.

error

For applications using multiple issuers, prevent jti collisions across values produced by those issuers.

error

When present, verify that jti is a case-sensitive string.

Security Notes

RFC 7519 - Section 4.1.7

The jti claim can be used to prevent a JWT from being replayed.

RFC 7519 - Section 4.1.7

Applications using multiple issuers must prevent collisions among jti values produced by different issuers.

Reference

Details

Entry Id
jti
Claim Name
jti
Claim Description
JWT ID
Change Controller
IESG
Reference
RFC7519 - Section 4.1.7