Common Token Claims
The following are claims in common, used within the KYA (Know Your Agent), PAY (Payment), and KYA-PAY (combined Know Your Agent and Payment) Tokens.
Header
| Claim | Description |
|---|---|
alg (algorithm) | Cryptographic algorithm to sign the token |
kid (key ID) | JWT key ID |
typ (type) | Type of the token - MUST be kya+jwt, pay+jwt, or kya-pay+jwt |
Payload
| Claim | Description |
|---|---|
env (environment) | Issuer environment - production or sandbox |
btg (buyer tag) | OPTIONAL - An opaque reference ID internal to the buyer. |
ssi (seller service ID) | OPTIONAL - Seller Service ID that this token was created for. |
sdm (seller domain) | OPTIONAL - Seller domain, associated with the audience claim, the token is intended for. |
ori (originator) | OPTIONAL - URL of the token's originator. |
iat (issued at) | Identifies the time at which the JWT was issued. This claim must have a value in the past and can be used to determine the age of the JWT. |
iss (issuer) | URL of the token's issuer. Used for discovering JWK Sets for token signature verification, via the /.well-known/jwks.json suffix mechanism. |
jti (JWT ID) | Provides a unique identifier (UUID) for the JWT. The value may be used for rate limiting. Note a token may be used multiple times by the agent until it expires. |
aud(audience) | Audience (used for audience binding and replay attack mitigation), uniquely identifying the seller agent. A single string value. |
sub (subject) | Subject Identifier. Must be pairwise unique within a given issuer. |
exp (expiration time) | Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. |
Additional claims MAY be defined and used in these tokens. The recipient MUST ignore any unrecognized claims.
Updated about 2 hours ago