oauth2.dev

exp

IETF

Registry Context

The `exp` claim identifies the time on or after which a JWT must not be accepted for processing. In a JAR Request Object, it retains this JWT-defined meaning.

Technical Summary

RFC 7519 defines `exp` as a NumericDate represented by a JSON number. RFC 9101 defines Request Objects as JWTs carrying OAuth 2.0 authorization request parameters and states that core JWT claims in Request Objects retain their JWT-defined purposes.

When Used

When a JWT, including a JAR Request Object, needs an explicit expiration time.

Normative Requirements

Requests

MUST
1
  1. RFC 9101 - Section 4

    Represent numerical values, including a numerical `exp` value, as JSON numbers..

    Condition: When constructing a Request Object containing numerical values.

    Numerical values MUST be included as JSON numbers.

Implementer

MAY
1
  1. RFC 7519 - Section 4.1.4

    Provide a small leeway, usually no more than a few minutes, to account for clock skew..

    Condition: When processing `exp`.

    Implementers MAY provide for some small leeway

JWT issuer

MUST
1
  1. RFC 7519 - Section 4.1.4

    Represent the `exp` value as a number containing a NumericDate value..

    Condition: When including `exp`.

    Its value MUST be a number containing a NumericDate value.

OPTIONAL
1
  1. RFC 7519 - Section 4.1.4

    Include the `exp` claim..

    Use of this claim is OPTIONAL.

JWT processor

MUST NOT
1
  1. RFC 7519 - Section 4.1.4

    Accept the JWT for processing on or after the expiration time identified by `exp`..

    Condition: When `exp` is present.

    JWT MUST NOT be accepted for processing

MUST
1
  1. RFC 7519 - Section 4.1.4

    Require the current date and time to be before the expiration date and time in `exp`..

    Condition: When processing `exp`.

    current date/time MUST be before the expiration date/time

Validation Guidance

error

When `exp` is present, verify that it is a JSON number containing a NumericDate value.

error

Reject the JWT when the current time is at or after `exp`, subject to any configured small clock-skew leeway.

info

Do not require every JWT to contain `exp`; its use is optional under RFC 7519.

error

For a JAR Request Object, interpret `exp` only with its JWT-defined expiration meaning.

Reference

Details

Entry Id
exp
Name
exp
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.4, RFC9101