* 仕様書

[REFS[
- [17] [CITE@en[[[RFC 7519]] - JSON Web Token (JWT)]], [TIME[2019-11-25 08:15:37 +09:00]] <https://tools.ietf.org/html/rfc7519>
-- [22] 
[CITE@en[RFC 7519 - JSON Web Token (JWT)]], [TIME[2025-10-15T08:22:31.000Z]] <https://datatracker.ietf.org/doc/html/rfc7519#page-5>
-- [27] 
[CITE@en[RFC 7519 - JSON Web Token (JWT)]], [TIME[2025-10-15T08:46:32.000Z]] <https://datatracker.ietf.org/doc/html/rfc7519#section-3>
- [18] [CITE[RFC Errata Report » RFC Editor]], [TIME[2019-12-06 11:32:15 +09:00]] <https://www.rfc-editor.org/errata_search.php?rfc=7519>
- [16] [CITE@en[[[RFC 7797]] - JSON Web Signature (JWS) Unencoded Payload Option]], [TIME[2019-11-27 04:23:28 +09:00]] <https://tools.ietf.org/html/rfc7797>
]REFS]

* 構文

[28] 
[[JWT]]
は、
[CH[.]]
区切りの[RUBYB[部分][part]]群で構成されます。
[SRC[>>22]]

;; [29] 部分数は、
[[JWT簡潔直列化]]と[[JWE簡潔直列化]]のいずれであるかによって異なります。
[SRC[>>22]]

* データモデル

[23] 
[DFN[JSON Web Token]] ([DFN[JWT]])
は、
[[主張]]群の[[集合]]を
[[JWS]] または [[JWE]] として符号化された [[JSONオブジェクト]]
([[JWT主張群集合]] [SRC[>>27]])
として表現する[[文字列]]であって、
[[主張]]群の[[デジタル署名]]、 [[MAC]] 適用、[[及び/又は]][[暗号化]]を実現するものです。
[SRC[>>22]]

[FIG(short list)[ [24] [[JWT]]

- [[主張]]
- [[主張名]]
- [[主張値]]
- [[JWT主張群集合]]


]FIG]



[25] 
[DFN[[RUBYB[被入れ子JWT][Nested JWT]]]]は、
[[入れ子]]に[[署名]][[及び/又は]][[暗号化]]が[RUBYB[実施][employ]]されて含まれている
[[JWT]]
です。[[被入れ子JWT]]にあっては [[JWT]] は[RUBYB[囲んでいる][enclosing]]
[[JWS]] や [[JWE]] の構造のそれぞれ[[荷重]]や[[平文値]]として使われます。
[SRC[>>22]]

[26] 
[DFN[[RUBYB[非保安済JWT][Unsecured JWT]]]]は、
[[主張]]が[[一貫性]]保護や[[暗号化]]をなされていない [[JWT]]
です。
[SRC[>>22]]




* MIME型

[19] [DFN[[CODE[+jwt]]]] [[構造化構文接尾辞]]

- [20] [CODE[application/jwk-set+jwt]]
--[21] [TIME[2024-09-02T19:10:43.000Z]], [TIME[2024-10-29T11:49:43.773Z]] <https://www.iana.org/assignments/media-types/application/jwk-set+jwt>

* 文脈

[FIG(short list)[ [15] [[JWT]] の[[応用]]
- [[VAPID]]
- [CODE[jwtTokenString:]]
- [[SCIM]]

]FIG]

* 関連

[8] [[CBOR]] 版の [[CWT]] もあります。

* 歴史

[1] [CITE@en[draft-ietf-oauth-json-web-token-32 - JSON Web Token (JWT)]]
([TIME[2015-01-13 11:57:47 +09:00]] 版)
<https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32>

[2] [CITE@en[draft-ietf-oauth-jwt-bearer-12 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]]
([TIME[2015-01-13 05:24:39 +09:00]] 版)
<http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12>

[3] [CITE@en[RFC 7519 - JSON Web Token (JWT)]]
([TIME[2015-05-20 09:55:25 +09:00]] 版)
<https://tools.ietf.org/html/rfc7519>

[4] [CITE@en[RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants]] ([TIME[2015-05-28 13:43:35 +09:00]] 版) <https://tools.ietf.org/html/rfc7521>

[5] [CITE@en[RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants]] ([TIME[2015-05-28 13:43:53 +09:00]] 版) <https://tools.ietf.org/html/rfc7523>

[6] [CITE@en[RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)]]
([TIME[2016-04-14 20:45:18 +09:00]] 版)
<https://tools.ietf.org/html/rfc7800>

[FIG(quote)[
[FIGCAPTION[
[7] [CITE@en[Volkswagen Infotainment Web Interface protocol definition]]
([TIME[2016-12-24 01:55:51 +09:00]])
<https://www.w3.org/Submission/2016/SUBM-viwi-protocol-20161213/>
]FIGCAPTION]

> JWT tokens will be sent in the Authorization header, following with term JWT and a space character.
> Example that assumes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds is the actual token:
>   GET /<service>/<resource> HTTP/1.1
>   Host: 127.0.0.1:1337
>   Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds
> 

]FIG]


[9] [CITE[Stop using JWT for sessions - joepie91's Ramblings]]
( ([TIME[2016-08-16 04:42:57 +09:00]]))
<http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/>

[10] [CITE[Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings]]
( ([TIME[2016-08-16 04:42:57 +09:00]]))
<http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/>

[FIG(quote)[
[FIGCAPTION[
[11] [CITE@en[Mapbox API Documentation]]
([TIME[2017-05-10 01:21:59 +09:00]])
<https://www.mapbox.com/api-documentation/#the-token-format>
]FIGCAPTION]

> Mapbox uses JSON Web Tokens (JWT) as the token format. 

]FIG]


[FIG(quote)[
[FIGCAPTION[
[12] [CITE@ja[HipChat - API v2 - Webhooks]]
([TIME[2017-05-25 23:20:57 +09:00]])
<https://www.hipchat.com/docs/apiv2/webhooks>
]FIGCAPTION]

> Webhooks declared by an add-on can optionally receive a JWT authenticating the request. The JWT is sent in the Authorization header and has the same structure as the JWT sent in the signed_request query parameter for configuration pages and other UI elements:
> POST /echo HTTP/1.1
> Host: addon.example.com
> Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAi...
> Content-Length: 646
> Content-Type: application/json

]FIG]


[FIG(quote)[
[FIGCAPTION[
[13] [CITE[Bitbucket API]]
([TIME[2017-09-08 16:52:25 +09:00]])
<https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication>
]FIGCAPTION]

> 5. Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)
> If your Atlassian Connect add-on uses JWT authentication, you can swap a JWT for an OAuth access token. The resulting access token represents the account for which the add-on is installed.
> Make sure you send the JWT token in the Authorization request header using the "JWT" scheme (case sensitive). Note that this custom scheme makes this different from HTTP Basic Auth (and so you cannot use "curl -u").
> $ curl -X POST -H "Authorization: JWT {jwt_token}" \
>   https://bitbucket.org/site/oauth2/access_token \
>   -d grant_type=urn:bitbucket:oauth2:jwt

]FIG]


[FIG(quote)[
[FIGCAPTION[
[14] [CITE[Features | Netlify]]
([TIME[2017-10-09 14:29:02 +09:00]])
<https://www.netlify.com/features/>
]FIGCAPTION]

> With JWT Based Access Control you build sites with any site generator and enable granular role based permissions while delegating authentication and user management to any service that can issue JSON Web Tokens.

]FIG]