Technical Summary
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
tokens that contain a set of claims that can be signed and/or
encrypted. JWTs are being widely used and deployed as a simple
security token format in numerous protocols and applications, both in
the area of digital identity, and in other application areas. The
goal of this Best Current Practices document is to provide actionable
guidance leading to secure implementation and deployment of JWTs.
Working Group Summary
This document has been written in response to reports about insecure implementations and deployments of JWT.
The working group is in agreement that this document provides value to the community.
Document Quality
The document has received substantial review and suggestions for threat mitigations to cover. Many of the recommendations have been provided by researchers and implementers outside the working group.
Personnel
The document shepherd is Hannes Tschofenig.
The responsible Area Director is Roman Danyliw (and was previously Eric Rescorla).