nbf
Registry Context
The `nbf` claim identifies when a JWT may begin to be accepted for processing. Before that time, the JWT must not be accepted. The claim is optional, its value must be a NumericDate number, and implementers may allow a small clock-skew leeway.
Technical Summary
RFC 7519 defines `nbf` as the Not Before claim. The current date/time MUST be after or equal to its NumericDate value before the JWT is accepted for processing. Implementers MAY provide a small leeway, usually no more than a few minutes, for clock skew. Use of the claim is OPTIONAL.
When Used
When a JWT must not be accepted for processing before a specified time.
Normative Requirements
Unspecified actor
RFC 7519 - Section 4.1.5
encode the `nbf` claim value as a number containing a NumericDate value.
Condition: when the `nbf` claim is used
Its value MUST be a number containing a NumericDate value.
RFC 7519 - Section 4.1.5
use the `nbf` claim.
Use of this claim is OPTIONAL.
Implementers
RFC 7519 - Section 4.1.5
provide some small leeway to account for clock skew.
Condition: when processing the `nbf` claim
Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
JWT processor
RFC 7519 - Section 4.1.5
accept the JWT for processing.
Condition: before the date/time identified by the `nbf` claim
The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
RFC 7519 - Section 4.1.5
ensure that the current date/time is after or equal to the not-before date/time.
Condition: when processing the `nbf` claim
The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim.
Validation Guidance
Reject a JWT when the current time, accounting for any configured small clock-skew leeway, is still before its `nbf` time.
Verify that `nbf` is a JSON number containing a NumericDate value.
If clock-skew leeway is provided, keep it small; RFC 7519 describes it as usually no more than a few minutes.
Do not treat `nbf` as universally required by RFC 7519.
Security Notes
RFC 7519 - Section 4.1.5
A JWT MUST NOT be accepted for processing before the time identified by its `nbf` claim, subject to any small clock-skew leeway provided by the implementation.
RFC 7519 - Section 4.1.5
RFC 7519 describes clock-skew leeway as small and usually no more than a few minutes.
Reference
Details
- Entry Id
nbf- Claim Name
nbf- Claim Description
Not Before- Change Controller
IESG- Reference
RFC7519 - Section 4.1.5