]> Skyfire Systems Inc.

ankit_agarwal@yahoo.com https://skyfire.xyz

Self-Issued Consulting

michael_b_jones@hotmail.com https://self-issued.info/

agent identity agentic payment commerce This document defines a profile for agent identity and payment tokens in JSON web token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to consume identity and payment tokens in an interoperable manner. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction As software agents evolve from pre-orchestrated workflow automations to truly autonomous or semi-autonomous assistants, they require the ability to identify themselves -- and more importantly, identify their human principals -- to external systems. Agents acting on behalf of users to discover services, create accounts, or execute actions currently face significant operational barriers. The KYAPay token addresses these challenges by providing a standard envelope to carry verified identity and payment information. By utilizing "kya" (Agent Identity) and "pay" (Payment) tokens, agents can identify their human principals to services, sites, bot managers, customer identity and access management (CIAM) systems, and fraud detectors. This enables agents to bypass common blocking mechanisms and access services that were previously restricted to manual human interaction. KYAPay does not aim to define agentic identity in its entirety. Rather, it specifies a standard and extensible JWT profile for a token that can be used to securely share human principal and agent identity information with websites and APIs. KYAPay tokens provide a strong signal of human presence behind agentic requests that are otherwise indistinguishable from programmatic and potentially malicious bot requests. Note that, in the future, the payment token functionality could be split into a separate specification, if desired by a working group adopting the specification. It is retained here at present for ease of reviewing.

Use Cases for the KYAPay Token Enabling agents to access websites and APIs on behalf of the human principals they represent is a design goal of KYAPay tokens. Today’s internet is designed primarily for humans, meaning that automated systems are often classified as malicious and blocked by web security infrastructure. However, the rise of AI agents has introduced a new paradigm where programmatic clients legitimately access websites and APIs on behalf of human principals. Because these agents can be hard to distinguish from traditional bots, they are often inadvertently blocked, creating a need for the web security ecosystem to distinguish between legitimate agentic traffic and truly malicious activity. KYAPay tokens are designed to address this challenge by enabling agents to convey verified identity and payment credentials. These tokens can provide web security systems and merchants with a strong signal that the requests are authorized by a human, allowing them to safely permit legitimate programmatic transactions while aggressively blocking undesired traffic. Enabling agents to create accounts and/or log in to accounts on behalf of their human principals is a related design goal. To achieve this, systems can utilize a token exchange workflow . In this process, a Security Token Service (STS), Identity Provider (IdP), or OAuth Authorization Server verifies incoming KYA tokens and extracts claims associated with the human principal, such as email addresses. The authorization server then performs a token exchange, swapping the KYA token for a standard OAuth Access Token, which the agent subsequently uses to interact with the target service. Crucially, this architecture allows the service to know that the agent is acting on behalf of the user, making it possible to differentiate between direct, human-present sessions and human-initiated, agentic sessions for authorization, auditing, and security purposes. Enabling agents to have ubiquity of access across the Internet just like their human principals is a related design goal. Automation typically scales as it achieves higher reliability and lower cost-to-entry. Unlike the structured logic required by cron jobs or low-code / no-code platforms, agentic automation leverages LLMs to execute tasks via natural language, effectively removing the software-skill barrier. As model reasoning improves and infrastructure scales, these agents become increasingly dependable and affordable for the human principal. To maximize utility, agents require ubiquitous Internet access, a feat made possible by KYAPay Token Issuers. By providing a client-side verification framework analogous to the server-side role of Certificate Authorities (CAs), KYAPay builds a standardized network of acceptance across the web security ecosystem. This allows for the seamless attestation of both the agent’s and the human principal’s identity, ensuring secure, cross-domain task execution without the friction of fragmented authentication silos. Enabling the ecosystem of web security vendors to engage in finer-grained and deliberate bad-actor mitigation is a related design goal. KYA tokens provide a layered, verified, and extensible identity stack specifically engineered for autonomous agents. This framework allows the web security ecosystem to distinguish among individual agent instances, the platforms they run on, and the human principals behind them. By establishing this level of granular visibility, security systems can transition from broad defensive measures to specific mitigation; rather than being forced to block an entire platform, administrators can now isolate and neutralize a single malicious human user or a malfunctioning software instance without disrupting legitimate traffic. Note that the protocols using these tokens to achieve these goals are not defined by this specification. The interoperable use of them for these purposes will require further specification. Early production deployments of KYAPay tokens are described at https://kyapay.org.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The claims iss, iat, exp, aud, and jti are defined by . The header parameters alg, kid, and typ are defined by . The alg value ES256 is a digital signature algorithm defined in .

Roles

Agent:

An application, service, or specific software process, executing on behalf of a Principal.

Agent Identity:

A unique identifier and a set of claims describing an agent. Grouped into the aid claim for convenience. Because an agent can be public or confidential (as described in ), the level of assurance for these claims varies dramatically. Agents also vary in terms of longevity -- they can have stable long-running identities (such as those of a server-side confidential client), or they can be transient and ephemeral, and correspond to individual API calls or compute workloads.

Agent Platform:

The service provider and runtime environment hosting the Agent, such as a cloud compute provider or AI operator service. Assertions about the agent platform are grouped into the apd claim, and are primarily used to identify the Principal entity operating the platform, allowing consumers of the token to apply reputation-based logic or offer platform-specific services.

Principal:

A legal entity (human or organization) on whose behalf / in whose authority an agent or service is operating.

Initiator Roles

Initiator Agent:

An Agent performing tasks on behalf of an Initiator Principal, that has its own Agent Identity, grouped into the aid claim.

Initiator Agent Platform:

The Agent Platform hosting the Initiator Agent. Some use cases require the Platform to have its own verified identity assertions, grouped into the apd claim.

Initiator Principal:

A legal entity (human or organization) behind the purchase / consumption of a product or service. In buyer/seller transactions, the Initiator is the buyer. The Principal typically interacts with the target via an Initiator Agent. Many targets are required to be able to determine the Initiator Identity in order to comply with KYC/AML regulations, accounting standards, and to maintain a direct customer relationships. The initiator principal's identity is grouped into the hid claim.

Initiator Identity:

The aggregate verified identity assertions of the initiator entities, typically encompassing the Initiator Principal, the Initiator Agent Platform, and the Initiator Agent itself. This composite identity is conveyed via the KYA token, allowing the target to verify the entire chain of responsibility behind a request. The initiator identity utilizes the hid, apd, and aid claims.

Target Roles

Target Agent:

An Agent performing tasks on behalf of a Target Principal, directly interacting with Initiator Agents to facilitate discovery and purchase. Typically runs on Internet-connected infrastructure, and discoverable via service directories. Target agent identity claims are also grouped into the aid claim if KYA tokens are generated for the targets.

Target Agent Platform:

The Agent Platform that hosts Target Agents. Some use cases require the Platform to have its own verified identity assertions, grouped into the apd claim.

Target Principal:

A human principal (individual or organization) that that owns the product, service, API, website, or content being consumed or sold, and serves as the ultimate beneficiary of a transaction. In buyer/seller transactions, the Target is the seller. The target principal's identity is grouped into the hid claim.

Target Identity:

The aggregate verified identity assertions of the target entities, typically encompassing the Target Principal, the Target Agent Platform, as well as the Target Agent Identity. These various aspects of Target Identity allow Initiators and Initiator Agents to perform reputation-based logic, to verify that they are interacting with the authorized (and expected) counter-party, and to fulfill KYC/AML regulation requirements. The target identity utilizes the hid, apd, and aid claims.

Ecosystem Infrastructure Roles

Identity Token Issuer:

A trusted neutral entity that conducts Know Your Customer (KYC) and Know Your Business (KYB) (for organizations) verifications. It is responsible for issuing cryptographically signed kya tokens that attest to the identity of the Principal, Agent, and Agent Platform, for both Initiators and Targets.

Payment Token Issuer:

A trusted entity responsible for facilitating the exchange of payments and credentials between the Initiator and Target. It issues signed pay tokens that enable settlement via various schemes (Cards, Banks, Cryptocurrency), without exposing raw credentials or secrets.

KYAPay Token Schemas

Common Token Claims The following are claims in common, used within the KYA (Know Your Agent), PAY (Payment), and KYA-PAY (combined Know Your Agent and Payment) Tokens.

iss:

REQUIRED - URL of the token's issuer. Used for discovering JWK Sets for token signature verification, via the /.well-known/jwks.json suffix mechanism.

sub:

REQUIRED - Subject Identifier. Must be pairwise unique within a given issuer.

aud:

REQUIRED - Audience (used for audience binding and replay attack mitigation), uniquely identifying the target agent. A single string value.

iat:

REQUIRED - as defined in . Identifies the time at which the JWT was issued. This claim must have a value in the past and can be used to determine the age of the JWT.

jti:

REQUIRED - Unique ID of this JWT as defined in .

exp:

REQUIRED - as defined in . Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.

tdm:

OPTIONAL - Target domain, associated with the audience claim, the token is intended for.

ori:

OPTIONAL - URL of the token's originator.

env:

OPTIONAL - Issuer environment (such as "production" or "sandbox"). Additional values may be defined and used.

tsi:

OPTIONAL - Target Service ID that this token was created for.

itg:

OPTIONAL - Initiator tag - an opaque reference ID internal to the initiator.

Additional claims MAY be defined and used in these tokens. The recipient MUST ignore any unrecognized claims.

KYA Token The following identity related claims are used within KYA and KYA-PAY tokens:

hid:

REQUIRED (Required for human identity use cases) - A map of human identity claims (individual or organization).

apd:

OPTIONAL - Agent Platform identity claims.

aid:

REQUIRED - Agent identity claims.

scope

OPTIONAL - String with space-separated scope values, per

The following informative example displays a decoded KYA type token.

A KYA type token

hid - Human Identity Sub-Claims The Human Identity (hid) claim contains sub-claims identifying the human principal (individual or organization) as follows.

email:

REQUIRED - Email address associated with the human individual or organization

given_name:

OPTIONAL - Given name(s) or first name(s) of the human principal if they are an individual.

middle_name:

OPTIONAL - Middle name(s) of the human principal if they are an individual.

family_name:

OPTIONAL - Surname(s) or last name(s) of the human principal if they are an individual.

phone_number:

OPTIONAL - Phone number associated with the human individual or organization.

organization_name:

OPTIONAL - Name of the organization.

verifier:

OPTIONAL - URL of the Identity Verifier

verified:

OPTIONAL - Boolean Verification status. True if verified, otherwise false.

verification_id:

OPTIONAL - Verification identifier. Identifier for the verification performed, such as a GUID.

Additional sub-claims MAY be defined and used. The recipient MUST ignore any unrecognized sub-claims.

Agent Platform Identity apd Sub-Claims The apd claim is optional. If present, it contains the following sub-claims.

id:

REQUIRED - Agent Platform identifier.

name:

REQUIRED - Agent Platform name.

email:

OPTIONAL - Email associated with agent platform.

phone_number:

OPTIONAL - Phone number associated with agent platform.

organization_name:

OPTIONAL - Legal name associated with agent platform.

verifier:

OPTIONAL - URL of the Identity Verifier

verified:

OPTIONAL - Boolean Verification status. True if verified, otherwise false.

verification_id:

OPTIONAL - Verification identifier. Identifier for the verification performed, such as a GUID.

Additional sub-claims MAY be defined and used. The recipient MUST ignore any unrecognized sub-claims.

Agent Identity aid Sub-Claims The aid claim is optional. If present, it contains the following sub-claims.

name:

REQUIRED - Agent name. The name should reflect the business purpose of the agent.

creation_ip:

REQUIRED - The public IP address of the system / agent that requested the token. Its value is a string containing the public IPv4 or IPv6 address from where the token request originated. It MUST be captured directly from the token request.

source_ips:

OPTIONAL - Valid public IP address, or range of public IP addresses, from where the system / agent's requests to merchants / services will originate. Array of comma-separated IPv4 addresses or ranges, IPv6 addresses or ranges, or domain names resolvable to an IP address via DNS. IPv4 and IPv6 addresses can be a single IPv4 or IPv6 address or a range of IPv4 or IPv6 addresses in CIDR notation or start-and-end IP pairs.

Additional sub-claims MAY be defined and used. The recipient MUST ignore any unrecognized sub-claims.

PAY Token The following payment related claims are used within PAY and KYA-PAY type tokens:

tpr:

OPTIONAL - JSON string representing target service price in currency units.

tps:

OPTIONAL - Target pricing scheme, which represents a way for the target list how it charges for its service or content. One of pay_per_use, subscription, pay_per_mb, or custom. Additional values may be defined and used.

amt:

REQUIRED - JSON string representing token amount in currency units.

cur:

REQUIRED - Currency unit, represented as an ISO 4217 three letter code, such as "EUR".

val:

REQUIRED - JSON string representing token amount in settlement network's units.

mnr:

OPTIONAL - JSON number representing maximum number of requests when tps is pay_per_use.

stp:

REQUIRED - Settlement type (one of coin or card). Additional values may be defined and used.

sti:

REQUIRED - Meta information for payment settlement, depending on settlement. type.

Settlement Information sti Sub-Claims The sti claim is optional. If present, it MAY contain the following sub-claims, all of which are OPTIONAL.

type:

REQUIRED - "type" is dependent on the "stp" value; for "coin" - "usdc"; for "card" - "visa_vic" or "mastercard_scof". Additional values may be defined and used.

payment_token:

OPTIONAL - String containing Virtual Payment Card Number in ISO/IEC 7812 format. 12-19 characters.

token_expiration_month:

OPTIONAL - String containing two-digit Expiration Month Number.

token_expiration_year:

OPTIONAL - String containing four-digit Expiration Year.

token_security_code:

OPTIONAL - String containing 3 or 4 digit CVV code.

verifier:

OPTIONAL - URL of the Payment Verifier

verified:

OPTIONAL - Boolean Verification status. True if verified, otherwise false.

verification_id:

OPTIONAL - Verification identifier. Identifier for the verification performed, such as a GUID.

Additional sub-claims MAY be defined and used. The recipient MUST ignore any unrecognized sub-claims.

PAY Token Example The following informative example displays a decoded PAY type token.

A PAY type token

KYA-PAY Token The following informative example displays a decoded KYA-PAY type token.

A KYA-PAY type token

Token Validation

Validating KYA and PAY Tokens

JWT Header Validation

1. alg - JWTs MUST be signed using allowed JWA algorithms (currently, ES256).
2. kid - The kid claim MUST be present, and set to a valid Key ID discoverable via the issuer's (payload iss claim) JWK Set.
3. typ - The typ header parameter value MUST be one of: kya+jwt, pay+jwt, or kya-pay+jwt.

JWT Payload Validation

1. Verify JWT Signature - Valid JWTs MUST be signed with a valid key belonging To the token's issuer (iss claim)
2. Validate iss Claim - Ensure that the token is signed by the expected valid issuer.
3. Validate the exp Claim - The verifier MUST validate that the token has not expired, within the verifier's clock drift tolerance.
4. Validate the iat Claim - The verifier MUST validate that the token was issued in the past, within the verifier's clock drift tolerance.
5. Validate the jti Claim - Ensure that the jti claim is present, and is a UUID.
6. Validate the aud Claim - Ensure that the aud identifies the recipient as the intended audience.
7. Validate the env Claim - Ensure that the Environment claim is set to an expected and use case appropriate value (such as production or sandbox)

Validating PAY Tokens For tokens of type pay+jwt or kya-pay+jwt, perform the steps described in the Validating KYA and PAY Tokens section. In addition, perform the following steps.

1. The val claim is greater than 0.
2. The amt claim is greater than 0.
3. The cur claim is set to a currency the target supports (such as USD)
4. The tps claim, if present, matches the pricing scheme that you configured in the target's service
5. The tpr claim, if present, matches the price that you configured in the target's service

Security Considerations When validating the JWTs described in this specification, implementers SHOULD follow the best practices and guidelines described in .

Privacy Considerations KYAPay tokens are designed to convey the information that an agent is acting on behalf of a principal - a person or organization. To do this, they will necessarily contain information about that principal that can be verified and utilized by participants in the system. Participants should therefore only share these tokens with other legitimate participants and not make their contents public or disclose them to unknown or untrustworthy parties. Consent of the principal represented to participate in the interactions is vital. If I authorize an agent to shop for a widget at given price, it's legitimate for the agent to carry enough information about me to the merchant to be able to do this for me. Whereas, if an agent claims to be shopping for me but does not have my authorization to do so, my privacy and possibly also my financial integrity are being violated. The principle of minimal disclosure should be employed. Only the infomation needed to facilitate the intended interactions should be placed in the tokens and conveyed to participants.

IANA Considerations

JSON Web Token Claims Registration This specification registers the following Claims in the IANA "JSON Web Token Claims" registry established by .

"tdm" Claim

• Claim Name: tdm
• Claim Description: Target domain the token is intended for
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#common-claims) of this specification

"tsi" Claim

• Claim Name: tsi
• Claim Description: Target Service ID that this token was created for
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#common-claims) of this specification

"ori" Claim

• Claim Name: ori
• Claim Description: URL of the token's originator
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#common-claims) of this specification

"env" Claim

• Claim Name: env
• Claim Description: Issuer environment (such as "production" or "sandbox")
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#common-claims) of this specification

"itg" Claim

• Claim Name: itg
• Claim Description: Initiator tag, an opaque reference ID internal to the initiator
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#common-claims) of this specification

"hid" Claim

• Claim Name: hid
• Claim Description: JSON structure containing human identity claims
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#kya-token) of this specification

"apd" Claim

• Claim Name: apd
• Claim Description: JSON structure containing agent platform identity claims
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#kya-token) of this specification

"aid" Claim

• Claim Name: aid
• Claim Description: JSON structure containing agent identity claims
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#kya-token) of this specification

"tpr" Claim

• Claim Name: tpr
• Claim Description: JSON string representing target service price in currency units
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"tps" Claim

• Claim Name: tps
• Claim Description: Target pricing scheme, which represents a way for the target list how it charges for its service or content
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"amt" Claim

• Claim Name: amt
• Claim Description: JSON string representing token amount in currency units
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"cur" Claim

• Claim Name: cur
• Claim Description: Currency unit, represented as an ISO 4217 three letter code, such as "EUR"
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"val" Claim

• Claim Name: val
• Claim Description: JSON string representing token amount in settlement network's units
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"mnr" Claim

• Claim Name: mnr
• Claim Description: JSON number representing maximum number of requests
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"stp" Claim

• Claim Name: stp
• Claim Description: Settlement type
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

"sti" Claim

• Claim Name: sti
• Claim Description: Meta information for payment settlement, depending on settlement
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com
• Reference: (#pay-token) of this specification

Media Types Registration This section registers the following media types in the IANA "Media Types" registry in the manner described in .

application/kya+jwt

• Type name: application
• Subtype name: kya+jwt
• Required parameters: n/a
• Optional parameters: n/a
• Encoding considerations: Uses JWS Compact Serialization as defined in
• Security considerations: See Security Considerations in in
• Interoperability considerations: n/a
• Published specification: (#kya-token) of this specification
• Applications that use this media type: Applications using Know Your Agent tokens
• Additional information:
  • Magic number(s): n/a
  • File extension(s): n/a
  • Macintosh file type code(s): n/a
• Person & email address to contact for further information: TBD
• Intended usage: COMMON
• Restrictions on usage: none
• Author: Michael B. Jones - michael_b_jones@hotmail.com
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com

application/pay+jwt

• Type name: application
• Subtype name: pay+jwt
• Required parameters: n/a
• Optional parameters: n/a
• Encoding considerations: Uses JWS Compact Serialization as defined in
• Security considerations: See Security Considerations in in
• Interoperability considerations: n/a
• Published specification: (#pay-token) of this specification
• Applications that use this media type: Applications using Pay tokens
• Additional information:
  • Magic number(s): n/a
  • File extension(s): n/a
  • Macintosh file type code(s): n/a
• Person & email address to contact for further information: TBD
• Intended usage: COMMON
• Restrictions on usage: none
• Author: Michael B. Jones - michael_b_jones@hotmail.com
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com

application/kya-pay+jwt

• Type name: application
• Subtype name: kya-pay+jwt
• Required parameters: n/a
• Optional parameters: n/a
• Encoding considerations: Uses JWS Compact Serialization as defined in
• Security considerations: See Security Considerations in in
• Interoperability considerations: n/a
• Published specification: (#kya-pay-token) of this specification
• Applications that use this media type: Applications using KYA-Pay tokens
• Additional information:
  • Magic number(s): n/a
  • File extension(s): n/a
  • Macintosh file type code(s): n/a
• Person & email address to contact for further information: TBD
• Intended usage: COMMON
• Restrictions on usage: none
• Author: Michael B. Jones - michael_b_jones@hotmail.com
• Change Controller: Michael B. Jones - michael_b_jones@hotmail.com

References Normative References JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This second document defines the general structure of the MIME media typing system and defines an initial set of media types. [STANDARDS-TRACK] This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs. n.d. n.d.

Document History [[ to be removed by the RFC Editor before publication as an RFC ]] -02

• Changed terms buyer and seller to initiator and target to generalize applicability. These claim names were changed: "sdm" to "tdm", "ssi" to "tsi", "btg" to "itg", "spr" to "tpr", and "sps" to "tps".
• Updated Settlement Information sti Sub-Claims.
• Changed specification type from Informative to Proposed Standard.

-01

• Removed "srl" (Seller Resource Locator) claim.

-00

• Initial Internet Draft.

Contributors