Token Claims Reference
Scope
Complete reference for all claims present in access tokens, ID tokens, and refresh tokens issued by the platform. Includes standard JWT claims, custom authorization claims, and context fields used during policy evaluation.
Definitions
| Name | Description |
|---|---|
sub | Subject identifier — the unique user or service account ID |
iss | Issuer — the authorization server URL that minted the token |
aud | Audience — the intended recipient service or API |
exp | Expiration time as a Unix timestamp |
iat | Issued-at time as a Unix timestamp |
jti | Unique token identifier for replay detection |
tenant_id | The tenant context for the current session |
org_id | The organization context, if applicable |
roles | Array of role identifiers assigned to the subject |
permissions | Resolved permission set derived from role assignments |
cnf | Confirmation claim containing proof-of-possession key binding (e.g., DPoP jkt) |
Example
{
"sub": "user_42",
"iss": "https://auth.keymate.example",
"aud": "https://api.keymate.example",
"exp": 1700000000,
"iat": 1699996400,
"jti": "tok_unique_id",
"tenant_id": "t_abc123",
"org_id": "org_eng",
"roles": ["editor", "viewer"],
"permissions": ["documents:read", "documents:write"],
"cnf": {
"jkt": "sha256-thumbprint-of-dpop-key"
}
}