nbf
Registry Context
`nbf` identifies the time before which a JWT must not be accepted for processing. Its value must be a NumericDate.
Technical Summary
`nbf` is an optional registered JWT claim whose value must be a JSON number containing a NumericDate. Processing requires the current time to be at or after that time, although a small clock-skew leeway may be applied. RFC 9101 registers it as an OAuth authorization request parameter for Request Objects.
When Used
authorization request
Normative Requirements
implementer
RFC 7519 - Section 4.1.5
allow a small leeway to account for clock skew.
Condition: when processing the `nbf` claim
Implementers MAY provide for some small leeway
JWT processor
RFC 7519 - Section 4.1.5
accept the JWT for processing before the time identified by `nbf`.
Condition: when the JWT contains an `nbf` claim
the JWT MUST NOT be accepted for processing
RFC 7519 - Section 4.1.5
determine that the current date and time is after or equal to the not-before date and time.
Condition: when processing the `nbf` claim
the current date/time MUST be after or equal to the not-before date/time
JWT producer
RFC 7519 - Section 4.1.5
encode `nbf` as a number containing a NumericDate value.
Condition: when the `nbf` claim is used
Its value MUST be a number containing a NumericDate value.
RFC 7519 - Section 4.1.5
include the `nbf` claim.
Use of this claim is OPTIONAL.
Validation Guidance
Reject an `nbf` value that is not a JSON number containing a valid NumericDate value.
Do not accept the JWT before the `nbf` time; any configured clock-skew allowance should be small.
Do not report an absent `nbf` claim as a violation of RFC 7519 alone.
Reference
Details
- Entry Id
nbf- Name
nbf- Parameter Usage Location
authorization request- Change Controller
IETF- Reference
RFC7519 - Section 4.1.5, RFC9101