JSON Web Tokens
JSON Web Tokens are compact claim containers that can be signed, integrity protected, or encrypted; in agent systems they often carry identity, delegation, audience, and authorization evidence.
Definition
JSON Web Token, usually abbreviated JWT, is the IETF token format defined by RFC 7519: a compact, URL-safe way to represent claims transferred between two parties. Those claims are encoded as JSON and carried either as the payload of a JSON Web Signature structure or as the plaintext of a JSON Web Encryption structure.
A JWT is not a login ticket by itself. It is a claim format. Whether it proves anything depends on the issuer, signature or encryption method, key discovery, audience, expiration, token profile, validation rules, and the resource server policy that decides what to do with it.
For AI agents, JWTs matter because delegated tool calls often move through identity and authorization systems that speak JOSE and OAuth. A token may say which user, client, agent, authorization server, audience, scope, or actor is involved. The system still must validate and enforce those claims.
Snapshot
- Base standard: RFC 7519, published by the IETF in May 2015 and updated by later JWT best-practice work.
- Cryptographic family: JWTs are carried in JOSE structures, especially JWS for signatures and integrity protection, JWE for encryption, and JWK for key representation.
- Common profiles: OpenID Connect ID Tokens, OAuth JWT access tokens, JWT bearer assertions, request objects, response objects, SD-JWT VC, Entity Attestation Token, and token-status artifacts.
- Security boundary: a valid JWT is evidence about claims, not automatic permission to serve a request, run a tool, or treat a user as approving an agent action.
- Agent relevance: JWTs are often the bridge between AI Agent Identity, delegated user authority, tool gateways, and protected resources.
- Governance question: which issuer made which claim, for which audience, under which token profile, until what time, and which local policy accepted it?
How It Works
A typical JWT has a header, payload, and signature or encryption data, serialized in compact form. The payload contains claims. RFC 7519 registers common claim names such as iss for issuer, sub for subject, aud for audience, exp for expiration, nbf for not-before time, iat for issued-at time, and jti for token identifier.
JSON Web Signature, RFC 7515, protects integrity and can authenticate the signer. JSON Web Encryption, RFC 7516, protects confidentiality. JSON Web Key, RFC 7517, represents cryptographic keys used by these systems. Together these sit inside the JOSE family of specifications.
Many deployments use JWTs inside larger profiles. RFC 9068 defines a JWT profile for OAuth 2.0 access tokens and gives those tokens the explicit type at+jwt. RFC 7523 defines JWT bearer assertions for OAuth client authentication and authorization grants. OpenID Connect Core defines the ID Token as a JWT carrying claims about an authentication event. JAR, JARM, SD-JWT VC, and Entity Attestation Token all use JWT-related machinery for more specific jobs.
Base64url encoding is not secrecy. A signed JWT can still expose its claims to anyone who sees it. Encryption, claim minimization, audience restriction, and careful logging are separate design choices.
Boundary Tests
Not every JWT is an access token. A JWT can be an ID Token, access token, client assertion, request object, introspection response, attestation token, verifiable credential, or custom artifact. Each profile has different validation rules.
Signed is not encrypted. JWS protects integrity and signer authenticity. It does not hide payload claims from clients, logs, proxies, browser extensions, or model-visible traces.
Encrypted is not accepted. JWE protects confidentiality in transit between parties that hold the right keys, but the recipient still has to validate issuer, audience, time, token type, and local policy after decryption.
An ID Token is not API authority. OpenID Connect ID Tokens are for authentication results at a relying party. They should not be treated as API bearer tokens or proof that an agent may perform a later action.
A JWT introspection response is not the introspected token. RFC 9701 secures the response from an introspection endpoint; it does not mint a new access token for the resource server to replay.
A valid signature is not a local allow decision. The resource server still needs the right issuer, key, audience, subject or actor, scope, token profile, confirmation proof if sender-constrained, and policy rule.
Current Context
As of this June 25, 2026 review, RFC 7519 remains the base JWT standard and RFC 8725 remains the published Best Current Practice for secure JWT deployment. The OAuth working group also has an active rfc8725bis draft; draft-ietf-oauth-rfc8725bis-06 was published on June 19, 2026 and is still work in progress rather than a replacement RFC.
OAuth practice has moved toward sharper token boundaries. RFC 9700, published in January 2025, recommends sender-constrained and audience-restricted access tokens for reducing replay and says resource servers must refuse access tokens intended for another audience. RFC 9701, also published in January 2025, standardizes a JWT-secured token introspection response for deployments that need signed or encrypted introspection results.
Agent and tool protocols make these distinctions more important. A browser agent, MCP connector, coding agent, or hosted workflow may hold several JWT-shaped artifacts at once: user authentication, tool access, workload identity, attestation, and audit evidence. Treating them as interchangeable creates token confusion, overbroad authority, and avoidable privacy exposure.
Agent Context
Agent workflows create long chains: a human authorizes a task, a model selects a tool, a runtime calls a connector, and a resource server decides whether to honor the request. JWTs can preserve evidence across that chain if the claims are narrow, validated, and logged.
The useful questions are concrete. Who issued this token? Which client or agent is it for? Which subject, actor, or workload does it represent? Which resource server is the audience? Which scope, authorization detail, assurance level, or confirmation key is present? When does it expire? Was it revoked, introspected, exchanged, downscoped, or superseded?
The dangerous pattern is possession-only authorization. A tool server sees a token-shaped string and accepts it without checking issuer, audience, time, signature, key, token type, or policy. In an agent setting, a copied token from logs, traces, browser storage, screenshots, prompt transcripts, or a compromised connector can become live authority.
JWT parsing should not move into prompt logic. A model may summarize a token's visible claims for debugging only under strict redaction rules, but policy decisions belong to authorization and resource-server code with configured issuers, keys, profiles, and denial behavior.
Governance and Safety
RFC 8725 is the JWT Best Current Practices document. It updates RFC 7519 with implementation and deployment guidance, including algorithm verification, key selection, explicit typing, claim validation, and avoiding confusion between different kinds of JWTs. The 2026 rfc8725bis draft adds newer threats such as additional format-confusion and decompression concerns, but production controls should still cite the published RFC plus the draft's status when relying on draft text.
Governance should treat a JWT as evidence that must be appraised, not as a conclusion. A signed token from the wrong issuer, a token with the wrong audience, an expired token, a token with missing subject context, or a token intended for one profile but accepted in another can all be well-formed and still unsafe.
Governed systems should maintain issuer-to-key and issuer-to-metadata bindings. A token's kid, jku, x5u, or discovery-derived jwks_uri should not let untrusted token input choose arbitrary key material or trigger unsafe network fetches.
Privacy governance is as important as signature verification. JWTs often carry subject identifiers, emails, roles, groups, entitlements, assurance claims, and tenant context. Those claims should be minimized, encrypted or made opaque where needed, and kept out of model context, analytics, support bundles, and ordinary logs.
Audit records should preserve token metadata, not full bearer tokens: issuer, subject where appropriate, audience, client or agent identifier, key identifier, algorithm, token type, expiration, scope or authorization detail, confirmation claim if used, validation result, and downstream action.
Minimum Validation Record
A serious JWT-using agent connector or resource server should leave enough evidence for review without storing reusable token material.
- Token classification: token profile, expected
typ, issuer, configured metadata source, signing-key source, and whether the artifact is signed, encrypted, nested, opaque, or introspected. - Principal context: subject, actor, client, workload, agent run, delegated user, tenant, and the rule for separating human identity from agent identity.
- Authorization context: audience, resource indicator, scope, authorization details, roles, groups, entitlements, assurance claims, and local policy rule used for allow, deny, or step-up.
- Cryptographic checks: algorithm allowlist,
kid, issuer-key binding, signature or decryption status, key rotation status, and rejection of unsupported algorithms. - Freshness and replay controls:
exp,nbf,iat,jti, revocation or introspection status, sender-constraint confirmation, proof-validation result, and cache lifetime. - Audit safety: token fingerprint only, redaction status, claim-minimization decision, log retention class, downstream action, and link to the relevant AI Audit Trails record.
Failure Modes
Algorithm confusion. The verifier lets the token choose an unsafe or unexpected algorithm, accepts none, or mixes symmetric and asymmetric keys incorrectly.
Key confusion. The verifier trusts an attacker-controlled jku, x5u, or loosely matched kid, so the issuer-key relationship is not actually controlled by the deployment.
Cross-JWT confusion. A resource server accepts an ID Token, client assertion, request object, verifiable credential, or introspection response as if it were an access token for the requested API.
Audience confusion. A token valid for one resource server is accepted by another because the receiver ignores or misinterprets aud, resource indicators, or protected-resource metadata.
Subject confusion. The system merges a human user, OAuth client, service account, agent, connector, or workload into one ambiguous sub value and cannot reconstruct who acted.
Bearer replay. A signed JWT access token leaks through logs, prompts, browser storage, traces, or support artifacts and is replayed because no sender constraint or revocation path blocks reuse.
Overstuffed claims. Tokens carry unnecessary identity or authorization data by value, increasing privacy exposure and correlation risk across tools and resource servers.
Prompt-side validation. A model reads or reasons about JWT claims and the system treats that as authorization, bypassing configured verifier code, issuer metadata, and resource-server policy.
Defense Pattern
- Validate every security-relevant claim. Check issuer, audience, expiration, not-before time, token type, subject or actor, client, and scope against local policy.
- Pin algorithms and keys. Do not let token input choose a weaker algorithm, arbitrary key URL, or unrelated key source.
- Separate token profiles. Do not accept an ID token, access token, request object, attestation token, or verifiable credential as if they were interchangeable.
- Use explicit typing. Require profile-specific
typvalues where the profile defines them, such asat+jwtfor RFC 9068 JWT access tokens. - Bind tokens to resources. Use audience checks, OAuth Resource Indicators, and OAuth Protected Resource Metadata so tokens are not accepted outside their intended resource.
- Use sender constraints where replay matters. Pair JWT access tokens with DPoP, mTLS, or other holder-of-key evidence when bearer replay would be dangerous.
- Use introspection or revocation when freshness matters. Locally validated JWTs may miss policy changes until expiration; high-risk tools may need OAuth Token Introspection or revocation checks.
- Keep full tokens out of logs. Store fingerprints and validation results, not reusable bearer material.
- Fail closed at the resource server. A token that cannot be validated for this resource, action, and agent path should not be honored.
Source Discipline
Claims about JWTs should name the profile and use case: ID token, OAuth access token, JWT bearer grant, request object, response object, SD-JWT VC, EAT, token-status token, introspection response, or custom token. The same compact syntax can carry different trust semantics. Do not collapse JWT into OAuth, OpenID Connect, bearer tokens, API keys, legal consent, or agent approval.
Use exact source labels. RFC 7519 defines the JWT format. RFCs 7515, 7516, and 7517 define JWS, JWE, and JWK. RFC 8725 defines published JWT best current practices. RFC 9068 defines the OAuth JWT access token profile. RFC 7523 defines JWT bearer assertions. RFC 6750 defines bearer token use. RFC 7662 and RFC 9701 define token introspection and JWT-secured introspection responses. OpenID Connect Core defines ID Tokens.
For implementation claims, preserve the issuer, profile, date, algorithm policy, key source, audience rule, sender-constraint method if any, introspection or revocation path, and tests for wrong-token-profile acceptance. "Uses JWT" is not a security property unless the validation boundary is named.
Spiralist Reading
Spiralism reads a JWT as a small envelope of institutional speech. It says: this issuer asserts these claims for this audience until this time.
The signature is not a blessing. It is a receipt with a key attached. The moral and operational question is still whether the receiving system should believe it, limit it, log it, or refuse it.
Open Questions
- Which agent claims belong in tokens, and which should stay in server-side policy records?
- How should systems represent both a human subject and an acting agent without over-disclosing private context?
- When should resource servers introspect tokens instead of validating JWTs locally?
- What token metadata is enough for audit without retaining bearer material?
Related Pages
- AI Agent Identity
- Digital Identity
- OpenID Connect
- OAuth Bearer Token Usage
- OAuth JWT Access Token Profile
- Sender-Constrained Tokens
- OAuth Token Introspection
- OAuth Token Exchange
- OAuth JWT Bearer Grant
- OAuth Authorization Server Metadata
- OAuth Resource Indicators
- OAuth Protected Resource Metadata
- JWT-Secured Authorization Requests
- JWT-Secured Authorization Response Mode
- OAuth DPoP
- OAuth Mutual TLS
- OAuth Security Best Current Practice
- SD-JWT VC
- Token Status List
- Entity Attestation Token (EAT)
- A2A Agent Card Signatures
- Data Minimization
- Confused Deputy Problem
- AI Agent Sandboxing
- AI Agent Observability
- AI Audit Trails
Sources
- M. Jones, J. Bradley, and N. Sakimura, IETF, RFC 7519: JSON Web Token (JWT), May 2015, reviewed June 25, 2026.
- M. Jones, J. Bradley, and N. Sakimura, IETF, RFC 7515: JSON Web Signature (JWS), May 2015, reviewed June 25, 2026.
- M. Jones and J. Hildebrand, IETF, RFC 7516: JSON Web Encryption (JWE), May 2015, reviewed June 25, 2026.
- M. Jones, IETF, RFC 7517: JSON Web Key (JWK), May 2015, reviewed June 25, 2026.
- Y. Sheffer, D. Hardt, and M. Jones, IETF, RFC 8725: JSON Web Token Best Current Practices, February 2020, reviewed June 25, 2026.
- M. Jones, B. Campbell, and C. Mortimore, IETF, RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, May 2015, reviewed June 25, 2026.
- V. Bertocci, IETF, RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, October 2021, reviewed June 25, 2026.
- M. Jones, D. Hardt, and D. Recordon, IETF, RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage, October 2012, reviewed June 25, 2026.
- J. Richer, IETF, RFC 7662: OAuth 2.0 Token Introspection, October 2015, reviewed June 25, 2026.
- T. Lodderstedt, J. Bradley, A. Labunets, and D. Fett, IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security, January 2025, reviewed June 25, 2026.
- T. Lodderstedt and V. Dzhuvinov, IETF, RFC 9701: JSON Web Token (JWT) Response for OAuth Token Introspection, January 2025, reviewed June 25, 2026.
- M. Jones, N. Sakimura, and J. Bradley, IETF, RFC 8414: OAuth 2.0 Authorization Server Metadata, June 2018, reviewed June 25, 2026.
- M. Jones, P. Hunt, and A. Parecki, IETF, RFC 9728: OAuth 2.0 Protected Resource Metadata, April 2025, reviewed June 25, 2026.
- N. Sakimura, J. Bradley, and M. Jones, IETF, RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR), August 2021, reviewed June 25, 2026.
- T. Lodderstedt and B. Campbell, OpenID Foundation, JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) incorporating errata set 1, Final, August 17, 2025, reviewed June 25, 2026.
- D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, and D. Waite, IETF, RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP), September 2023, reviewed June 25, 2026.
- L. Lundblade, G. Mandyam, J. O'Donoghue, and C. Wallace, IETF, RFC 9711: The Entity Attestation Token (EAT), April 2025, reviewed June 25, 2026.
- D. Fett, K. Yasuda, and B. Campbell, IETF, RFC 9901: Selective Disclosure for JSON Web Tokens, November 2025, reviewed June 25, 2026.
- IETF OAuth Working Group, draft-ietf-oauth-sd-jwt-vc: SD-JWT-based Verifiable Digital Credentials (SD-JWT VC), active Internet-Draft, reviewed June 25, 2026.
- OpenID Foundation, OpenID Connect Core 1.0 incorporating errata set 2, Final, December 15, 2023, reviewed June 25, 2026.
- IETF OAuth Working Group, draft-ietf-oauth-rfc8725bis: JSON Web Token Best Current Practices revision draft, active Internet-Draft, reviewed June 25, 2026.