Skip to main content

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
RFC 9068

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: Hannes Tschofenig <>, The IESG <>,,,,,,
Subject: Protocol Action: 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' to Proposed Standard (draft-ietf-oauth-access-token-jwt-13.txt)

The IESG has approved the following document:
- 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens'
  (draft-ietf-oauth-access-token-jwt-13.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

   This specification defines a profile for issuing OAuth 2.0 access
   tokens in JSON web token (JWT) format.  Authorization servers and
   resource servers from different vendors can leverage this profile to
   issue and consume access tokens in an interoperable manner.

Working Group Summary

   The OAuth working group has defined an encoding format for access 
   tokens in RFC 7519. This document takes deployment practice and 
   summarizes it in this document with regards to the content 
   in the JWT access token. 

  Based on SECDIR review, an MTI signature algorithms was added.

Document Quality

The JWT access token is widely used in industry. 

Here is a list of implementations based on feedback on the mailing list: 

Node.js project oidc-provider ( has an 
option to issue Access Tokens conforming to this profile. 

IdentityServer implements this functionality:

Connect2id server implements this specification:

Glewlwyd's OIDC plugin implements an earlier version of the specification:

The working group has received feedback from the deployment community
and there is consensus on the content of the document. 


Hannes Tschofenig is the document shepherd

Roman Danyliw is the responsible area director 

RFC Editor Note