oauth2.dev

iat

IETF

Registry Context

`iat` identifies the time at which a JWT was issued. RFC 9101 registers it as an OAuth authorization request parameter because a Request Object is a JWT.

Technical Summary

RFC 7519 defines `iat` as an optional JWT claim whose value is a NumericDate represented by a JSON number. RFC 9101 registers `iat` in the OAuth Parameters registry with the usage location "authorization request" and requires core JWT claims in a Request Object to retain their JWT-defined meanings.

When Used

When conveying the JWT issuance time in a JWT, including an OAuth Request Object.

Normative Requirements

Unspecified actor

OPTIONAL
1
  1. RFC 7519 - Section 4.1.6

    Use of the `iat` claim is optional..

    Use of this claim is OPTIONAL.

JWT producer

MUST
1
  1. RFC 7519 - Section 4.1.6

    The `iat` value must be a number containing a NumericDate value..

    Condition: When an `iat` claim is included in a JWT.

    Its value MUST be a number containing a NumericDate value.

Validation Guidance

error

Flag an included `iat` value as invalid if it is not a JSON number containing a NumericDate value.

info

Allow JWTs that omit `iat`.

Reference

Details

Entry Id
iat
Name
iat
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.6, RFC9101