jti
Registry Context
The jti claim is an optional, case-sensitive string that uniquely identifies a JWT. Its value must be assigned so accidental collisions are negligibly likely, including across issuers when an application uses multiple issuers.
Technical Summary
RFC 7519 Section 4.1.7 defines jti as the JWT ID claim. When used, its value must have a negligible probability of accidental collision with another data object. Applications using multiple issuers must also prevent collisions between issuer-generated values.
When Used
When a JWT needs an identifier, including to help prevent replay.
Normative Requirements
Unspecified actor
RFC 7519 - Section 4.1.7
use the jti claim.
Use of this claim is OPTIONAL.
application
RFC 7519 - Section 4.1.7
prevent collisions among values produced by different issuers.
Condition: if the application uses multiple issuers
collisions MUST be prevented among values produced by different issuers as well
identifier assigner
RFC 7519 - Section 4.1.7
assign the identifier value so there is a negligible probability that the same value will be accidentally assigned to a different data object.
Condition: when assigning a jti value
The identifier value MUST be assigned ... [with] a negligible probability
Validation Guidance
Do not require jti to be present in every JWT.
When assigning a jti value, use an identifier space and generation method that make accidental duplicate assignment negligibly likely.
For applications using multiple issuers, prevent jti collisions across values produced by those issuers.
When present, verify that jti is a case-sensitive string.
Security Notes
RFC 7519 - Section 4.1.7
The jti claim can be used to prevent a JWT from being replayed.
RFC 7519 - Section 4.1.7
Applications using multiple issuers must prevent collisions among jti values produced by different issuers.
Reference
Details
- Entry Id
jti- Claim Name
jti- Claim Description
JWT ID- Change Controller
IESG- Reference
RFC7519 - Section 4.1.7