2012-07-27 2026-03-25 Specification Required Hannes Tschofenig, Mike Jones Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Bearer Bearer IETF N_A IESG RFC8693, Section 2.2.1 PoP cnf, rs_cnf (see section 3.1 of and section 3.2 of ). N/A IETF DPoP DPoP IETF Specification Required Hannes Tschofenig, Mike Jones Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. code IETF code id_token OAuth 2.0 Multiple Response Type Encoding Practices code id_token token OAuth 2.0 Multiple Response Type Encoding Practices code token OAuth 2.0 Multiple Response Type Encoding Practices id_token OAuth 2.0 Multiple Response Type Encoding Practices id_token token OAuth 2.0 Multiple Response Type Encoding Practices none OAuth 2.0 Multiple Response Type Encoding Practices token IETF vp_token OpenID for Verifiable Presentations 1.0, Section 8 vp_token id_token OpenID for Verifiable Presentations 1.0, Section 8 Specification Required Hannes Tschofenig, Mike Jones Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. invalid_request authorization endpoint, token endpoint, resource access error response OAuth 2.0 Authorization Framework, bearer access token type IETF unauthorized_client authorization endpoint, token endpoint OAuth 2.0 Authorization Framework IETF RFC6749 access_denied authorization endpoint OAuth 2.0 Authorization Framework IETF RFC6749 unsupported_response_type authorization endpoint OAuth 2.0 Authorization Framework IETF RFC6749 invalid_scope authorization endpoint, token endpoint OAuth 2.0 Authorization Framework IETF RFC6749 server_error authorization endpoint OAuth 2.0 Authorization Framework IETF RFC6749 temporarily_unavailable authorization endpoint OAuth 2.0 Authorization Framework IETF RFC6749 invalid_client token endpoint, authorization endpoint OAuth 2.0 Authorization Framework IETF RFC6749 invalid_grant token endpoint OAuth 2.0 Authorization Framework IETF RFC6749 unsupported_grant_type token endpoint OAuth 2.0 Authorization Framework IETF RFC6749 invalid_token resource access error response bearer access token type IETF insufficient_scope resource access error response bearer access token type IETF unsupported_token_type revocation endpoint error response token revocation endpoint IETF interaction_required authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 login_required authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 account_selection_required authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 consent_required authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 invalid_request_uri authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 invalid_request_object authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 request_not_supported authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 request_uri_not_supported authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 registration_not_supported authorization endpoint OpenID Connect OpenID Connect Core 1.0 incorporating errata set 1 need_info (and its subsidiary parameters) authorization server response, token endpoint Kantara UMA UMA 2.0 Grant for OAuth 2.0, Section 3.3.6 request_denied authorization server response, token endpoint Kantara UMA UMA 2.0 Grant for OAuth 2.0, Section 3.3.6 request_submitted (and its subsidiary parameters) authorization server response, token endpoint Kantara UMA UMA 2.0 Grant for OAuth 2.0, Section 3.3.6 invalid_redirect_uri registration endpoint Dynamic Client Registration IETF RFC7591, Section 3.2.2 invalid_client_metadata registration endpoint Dynamic Client Registration IETF RFC7591, Section 3.2.2 invalid_software_statement registration endpoint Dynamic Client Registration IETF RFC7591, Section 3.2.2 unapproved_software_statement registration endpoint Dynamic Client Registration IETF RFC7591, Section 3.2.2 authorization_pending Token endpoint response IETF RFC8628, Section 3.5 access_denied Token endpoint response IETF RFC8628, Section 3.5 slow_down Token endpoint response IETF RFC8628, Section 3.5 expired_token Token endpoint response IETF RFC8628, Section 3.5 invalid_target implicit grant error response, token error response resource parameter IESG unsupported_pop_key token error response IETF RFC9200, Section 5.8.3 incompatible_ace_profiles token error response IETF RFC9200, Section 5.8.3 invalid_authorization_details token endpoint, authorization endpoint OAuth 2.0 Rich Authorization Requests IETF RFC9396, Section 5 invalid_dpop_proof token error response, resource access error response Demonstrating Proof of Possession (DPoP) IETF use_dpop_nonce token error response, resource access error response Demonstrating Proof of Possession (DPoP) IETF insufficient_user_authentication resource access error response OAuth 2.0 Step Up Authentication Challenge Protocol IETF RFC9470, Section 3 invalid_issuer authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 invalid_subject authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 invalid_trust_anchor authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 invalid_trust_chain authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 invalid_metadata authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 not_found authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 unsupported_parameter authorization endpoint OpenID Federation Section 8.9 of OpenID Federation 1.0 vp_formats_not_supported authorization endpoint, token endpoint OpenID for Verifiable Presentations OpenID for Verifiable Presentations 1.0, Section 8.5 invalid_request_uri_method authorization endpoint OpenID for Verifiable Presentations OpenID for Verifiable Presentations 1.0, Section 8.5 wallet_unavailable authorization endpoint, token endpoint OpenID for Verifiable Presentations OpenID for Verifiable Presentations 1.0, Section 8.5 Specification Required Hannes Tschofenig, Mike Jones Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. client_id authorization request, token request IETF client_secret token request IETF response_type authorization request IETF redirect_uri authorization request, token request IETF scope authorization request, authorization response, token request, token response IETF state authorization request, authorization response IETF code authorization response, token request IETF error authorization response, token response IETF error_description authorization response, token response IETF error_uri authorization response, token response IETF grant_type token request IETF access_token authorization response, token response IETF token_type authorization response, token response IETF expires_in authorization response, token response IETF username token request IETF password token request IETF refresh_token token request, token response IETF nonce authorization request OpenID Connect Core 1.0 incorporating errata set 1 display authorization request OpenID Connect Core 1.0 incorporating errata set 1 prompt authorization request OpenID Connect Core 1.0 incorporating errata set 1 max_age authorization request OpenID Connect Core 1.0 incorporating errata set 1 ui_locales authorization request OpenID Connect Core 1.0 incorporating errata set 1 claims_locales authorization request OpenID Connect Core 1.0 incorporating errata set 1 id_token_hint authorization request OpenID Connect Core 1.0 incorporating errata set 1 login_hint authorization request OpenID Connect Core 1.0 incorporating errata set 1 acr_values authorization request OpenID Connect Core 1.0 incorporating errata set 1 claims authorization request OpenID Connect Core 1.0 incorporating errata set 1 registration authorization request OpenID Connect Core 1.0 incorporating errata set 1 request authorization request OpenID Connect Core 1.0 incorporating errata set 1 request_uri authorization request OpenID Connect Core 1.0 incorporating errata set 1 id_token authorization response, access token response OpenID Connect Core 1.0 incorporating errata set 1 session_state authorization response, access token response OpenID Connect Session Management 1.0, Section 2 assertion token request IESG client_assertion token request IESG client_assertion_type token request IESG code_verifier token request IESG code_challenge authorization request IESG code_challenge_method authorization request IESG claim_token client request, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.1 pct client request, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.1 pct authorization server response, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.5 rpt client request, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.1 ticket client request, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.1 upgraded authorization server response, token endpoint UMA 2.0 Grant for OAuth 2.0, Section 3.3.5 vtr authorization request, token request IESG device_code token request IESG RFC8628, Section 3.1 resource authorization request, token request IESG audience token request IESG RFC8693, Section 2.1 requested_token_type token request IESG RFC8693, Section 2.1 subject_token token request IESG RFC8693, Section 2.1 subject_token_type token request IESG RFC8693, Section 2.1 actor_token token request IESG RFC8693, Section 2.1 actor_token_type token request IESG RFC8693, Section 2.1 issued_token_type token response IESG RFC8693, Section 2.2.1 response_mode Authorization Request OAuth 2.0 Multiple Response Type Encoding Practices nfv_token Access Token Response ETSI GS NFV-SEC 022 V2.7.1 iss authorization request, authorization response IETF RFC9207, Section 2 RFC7519, Section 4.1.1 sub authorization request IETF RFC7519, Section 4.1.2 aud authorization request IETF RFC7519, Section 4.1.3 exp authorization request IETF RFC7519, Section 4.1.4 nbf authorization request IETF RFC7519, Section 4.1.5 iat authorization request IETF RFC7519, Section 4.1.6 jti authorization request IETF RFC7519, Section 4.1.7 ace_profile token response IETF RFC9200, Sections 5.8.2, 5.8.4.3 nonce1 client-rs request IETF nonce2 rs-client response IETF ace_client_recipientid client-rs request IETF ace_server_recipientid rs-client response IETF req_cnf token request IETF RFC9201, Section 5 rs_cnf token response IETF RFC9201, Section 5 cnf token response IETF RFC9201, Section 5 authorization_details authorization request, token request, token response IETF dpop_jkt authorization request IETF RFC9449, Section 10 sign_info client-rs request, rs-client response IETF kdcchallenge rs-client response IETF trust_chain authorization request Section 12.1.1.1.1 of OpenID Federation 1.0 dcql_query authorization request OpenID for Verifiable Presentations 1.0, Section 5.1 client_metadata authorization request OpenID for Verifiable Presentations 1.0, Section 5.1 request_uri_method authorization request OpenID for Verifiable Presentations 1.0, Section 5.1 transaction_data authorization request OpenID for Verifiable Presentations 1.0, Section 5.1 wallet_nonce authorization request, token response OpenID for Verifiable Presentations 1.0, Section 5.10 response_uri authorization request OpenID for Verifiable Presentations 1.0, Section 8.2 vp_token authorization request, token response OpenID for Verifiable Presentations 1.0, Section 8.1 verifier_info authorization request OpenID for Verifiable Presentations 1.0, Section 5.1 expected_origins authorization request OpenID for Verifiable Presentations 1.0, Appendix A.2 ecdh_info client-rs request, rs-client response IETF kdc_dh_creds client-rs request, rs-client response IETF Specification Required Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. Torsten Lodderstedt, Mike Jones access_token IETF refresh_token IETF pct UMA 2.0 Grant for OAuth 2.0, Section 3.7 Specification Required Hannes Tschofenig, Mike Jones Prefix: urn:ietf:params:oauth urn:ietf:params:oauth:grant-type:jwt-bearer JWT Bearer Token Grant Type Profile for OAuth 2.0 IESG urn:ietf:params:oauth:client-assertion-type:jwt-bearer JWT Bearer Token Profile for OAuth 2.0 Client Authentication IESG urn:ietf:params:oauth:grant-type:saml2-bearer SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 IESG urn:ietf:params:oauth:client-assertion-type:saml2-bearer SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication IESG urn:ietf:params:oauth:token-type:jwt JSON Web Token (JWT) Token Type IESG urn:ietf:params:oauth:grant-type:device_code Device flow grant type for OAuth 2.0 IESG RFC8628, Section 3.1 urn:ietf:params:oauth:grant-type:token-exchange Token exchange grant type for OAuth 2.0 IESG RFC8693, Section 2.1 urn:ietf:params:oauth:token-type:access_token Token type URI for an OAuth 2.0 access token IESG RFC8693, Section 3 urn:ietf:params:oauth:token-type:refresh_token Token type URI for an OAuth 2.0 refresh token IESG RFC8693, Section 3 urn:ietf:params:oauth:token-type:id_token Token type URI for an ID Token IESG RFC8693, Section 3 urn:ietf:params:oauth:token-type:saml1 Token type URI for a base64url-encoded SAML 1.1 assertion IESG RFC8693, Section 3 urn:ietf:params:oauth:token-type:saml2 Token type URI for a base64url-encoded SAML 2.0 assertion IESG RFC8693, Section 3 urn:ietf:params:oauth:request_uri A URN Sub-Namespace for OAuth Request URIs. IESG RFC9126, Section 2.2 urn:ietf:params:oauth:jwk-thumbprint JWK Thumbprint URI IESG urn:ietf:params:oauth:ckt COSE Key Thumbprint URI IETF Specification Required Justin Richer Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. redirect_uris Array of redirection URIs for use in redirect-based flows IESG token_endpoint_auth_method Requested authentication method for the token endpoint IESG grant_types Array of OAuth 2.0 grant types that the client may use IESG response_types Array of the OAuth 2.0 response types that the client may use IESG client_name Human-readable name of the client to be presented to the user IESG client_uri URL of a web page providing information about the client IESG logo_uri URL that references a logo for the client IESG scope Space-separated list of OAuth 2.0 scope values IESG contacts Array of strings representing ways to contact people responsible for this client, typically email addresses IESG tos_uri URL that points to a human-readable terms of service document for the client IESG policy_uri URL that points to a human-readable policy document for the client IESG jwks_uri URL referencing the client's JSON Web Key Set document representing the client's public keys IESG jwks Client's JSON Web Key Set document representing the client's public keys IESG software_id Identifier for the software that comprises a client IESG software_version Version identifier for the software that comprises a client IESG client_id Client identifier IESG client_secret Client secret IESG client_id_issued_at Time at which the client identifier was issued IESG client_secret_expires_at Time at which the client secret will expire IESG registration_access_token OAuth 2.0 Bearer Token used to access the client configuration endpoint IESG registration_client_uri Fully qualified URI of the client registration endpoint IESG application_type Kind of the application -- "native" or "web" OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 sector_identifier_uri URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 subject_type subject_type requested for responses to this Client -- "pairwise" or "public" OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 id_token_signed_response_alg JWS alg algorithm REQUIRED for signing the ID Token issued to this Client OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 id_token_encrypted_response_alg JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 id_token_encrypted_response_enc JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 userinfo_signed_response_alg JWS alg algorithm REQUIRED for signing UserInfo Responses OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 userinfo_encrypted_response_alg JWE alg algorithm REQUIRED for encrypting UserInfo Responses OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 userinfo_encrypted_response_enc JWE enc algorithm REQUIRED for encrypting UserInfo Responses OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 request_object_signing_alg JWS alg algorithm that MUST be used for signing Request Objects sent to the OP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 request_object_encryption_alg JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 request_object_encryption_enc JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 token_endpoint_auth_signing_alg JWS alg algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 default_max_age Default Maximum Authentication Age OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 require_auth_time Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 default_acr_values Default requested Authentication Context Class Reference values OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 initiate_login_uri URI using the https scheme that a third party can use to initiate a login by the RP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 request_uris Array of request_uri values that are pre-registered by the RP for use at the OP OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2 claims_redirect_uris claims redirection endpoints UMA 2.0 Grant for OAuth 2.0, Section 2 nfv_token_signed_response_alg JWS alg algorithm required for signing the nfv Token issued to this Client ETSI GS NFV-SEC 022 V2.7.1 nfv_token_encrypted_response_alg JWE alg algorithm required for encrypting the nfv Token issued to this Client ETSI GS NFV-SEC 022 V2.7.1 nfv_token_encrypted_response_enc JWE enc algorithm required for encrypting the nfv Token issued to this Client ETSI GS NFV-SEC 022 V2.7.1 tls_client_certificate_bound_access_tokens Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. RFC8705, Section 3.4 tls_client_auth_subject_dn String value specifying the expected subject DN of the client certificate. RFC8705, Section 2.1.2 tls_client_auth_san_dns String value specifying the expected dNSName SAN entry in the client certificate. RFC8705, Section 2.1.2 tls_client_auth_san_uri String value specifying the expected uniformResourceIdentifier SAN entry in the client certificate. RFC8705, Section 2.1.2 tls_client_auth_san_ip String value specifying the expected iPAddress SAN entry in the client certificate. RFC8705, Section 2.1.2 tls_client_auth_san_email String value specifying the expected rfc822Name SAN entry in the client certificate. RFC8705, Section 2.1.2 require_signed_request_object Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. RFC9101, Section 10.5 require_pushed_authorization_requests Indicates whether the client is required to use PAR to initiate authorization requests. RFC9126, Section 6 introspection_signed_response_alg String value indicating the client’s desired introspection response signing algorithm RFC9701, Section 6 introspection_encrypted_response_alg String value specifying the desired introspection response content key encryption algorithm (alg value) RFC9701, Section 6 introspection_encrypted_response_enc String value specifying the desired introspection response content encryption algorithm (enc value) RFC9701, Section 6 frontchannel_logout_uri RP URL that will cause the RP to log itself out when rendered in an iframe by the OP OpenID Connect Front-Channel Logout 1.0, Section 2 frontchannel_logout_session_required Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used OpenID Connect Front-Channel Logout 1.0, Section 2 backchannel_logout_uri RP URL that will cause the RP to log itself out when sent a Logout Token by the OP OpenID Connect Back-Channel Logout 1.0, Section 2.2 backchannel_logout_session_required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used OpenID Connect Back-Channel Logout 1.0, Section 2.2 post_logout_redirect_uris Array of URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the post_logout_redirect_uri parameter after a logout has been performed OpenID Connect RP-Initiated Logout 1.0, Section 3.1 authorization_details_types Indicates what authorization details types the client uses. RFC9396, Section 10 dpop_bound_access_tokens Boolean value specifying whether the client always uses DPoP for token requests RFC9449, Section 5.2 client_registration_types An array of strings specifying the client registration types the RP wants to use Section 5.1.2 of OpenID Federation 1.0 signed_jwks_uri URL referencing a signed JWT having the client's JWK Set document as its payload Section 5.2.1 of OpenID Federation 1.0 organization_name Human-readable name representing the organization owning this client Section 5.2.2 of OpenID Federation 1.0 description Human-readable brief description of this client presentable to the End-User Section 5.2.2 of OpenID Federation 1.0 keywords JSON array with one or more strings representing search keywords, tags, categories, or labels that apply to this client Section 5.2.2 of OpenID Federation 1.0 information_uri URL for documentation of additional information about this client viewable by the End-User Section 5.2.2 of OpenID Federation 1.0 organization_uri URL of a Web page for the organization owning this client Section 5.2.2 of OpenID Federation 1.0 use_mtls_endpoint_aliases Boolean value indicating the requirement for a client to use mutual-TLS endpoint aliases RFC8705 declared by the authorization server in its metadata even beyond the Mutual-TLS Client Authentication and Certificate-Bound Access Tokens use cases. Section 5.2.2.1.1 of FAPI 2.0 Security Profile encrypted_response_enc_values_supported Non-empty array of strings, where each string is a JWE enc algorithm that can be used as the content encryption algorithm for encrypting the Response Section 5.1 of OpenID for Verifiable Presentations 1.0 vp_formats_supported An object containing a list of name/value pairs, where the name is a string identifying a Credential format supported by the Verifier Section 11.1 of OpenID for Verifiable Presentations 1.0 Specification Required Justin Richer Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. none IESG client_secret_post IESG client_secret_basic IESG client_secret_jwt OpenID Connect Core 1.0 incorporating errata set 1 private_key_jwt OpenID Connect Core 1.0 incorporating errata set 1 tls_client_auth IESG RFC8705, Section 2.1.1 self_signed_tls_client_auth IESG RFC8705, Section 2.2.1 Specification Required John Bradley, Mike Jones Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. plain IESG Section 4.2 of RFC7636 S256 IESG Section 4.2 of RFC7636 Specification Required Justin Richer Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. active Token active status IESG RFC7662, Section 2.2 username User identifier of the resource owner IESG RFC7662, Section 2.2 client_id Client identifier of the client IESG RFC7662, Section 2.2 scope Authorized scopes of the token IESG RFC7662, Section 2.2 token_type Type of the token IESG RFC7662, Section 2.2 exp Expiration timestamp of the token IESG RFC7662, Section 2.2 iat Issuance timestamp of the token IESG RFC7662, Section 2.2 nbf Timestamp which the token is not valid before IESG RFC7662, Section 2.2 sub Subject of the token IESG RFC7662, Section 2.2 aud Audience of the token IESG RFC7662, Section 2.2 iss Issuer of the token IESG RFC7662, Section 2.2 jti Unique identifier of the token IESG RFC7662, Section 2.2 permissions array of objects, each describing a scoped, time-limitable permission for a resource Federated Authorization for UMA 2.0, Section 5.1.1 vot Vector of Trust value IESG vtm Vector of Trust trustmark URL IESG act Actor IESG RFC8693, Section 4.1 may_act Authorized Actor - the party that is authorized to become the actor IESG RFC8693, Section 4.4 cnf Confirmation IESG ace_profile The ACE profile used between the client and RS. IETF RFC9200, Section 5.9.2 cnonce "client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS. IETF RFC9200, Section 5.9.2 cti "CWT ID". The identifier of a CWT as defined in . IETF RFC9200, Section 5.9.2 exi "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to implement a weaker form of token expiration for devices that cannot synchronize their internal clocks. IETF RFC9200, Section 5.9.2 authorization_details The member authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. IETF RFC9396, Section 9.2 acr Authentication Context Class Reference IETF RFC9470, Section 6.2 auth_time Time when the user authentication occurred IETF RFC9470, Section 6.2 Specification Required Mike Jones, Nat Sakimura, John Bradley, Dick Hardt Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. issuer Authorization server's issuer identifier URL IESG RFC8414, Section 2 authorization_endpoint URL of the authorization server's authorization endpoint IESG RFC8414, Section 2 token_endpoint URL of the authorization server's token endpoint IESG RFC8414, Section 2 jwks_uri URL of the authorization server's JWK Set document IESG RFC8414, Section 2 registration_endpoint URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint IESG RFC8414, Section 2 scopes_supported JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports IESG RFC8414, Section 2 response_types_supported JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports IESG RFC8414, Section 2 response_modes_supported JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports IESG RFC8414, Section 2 grant_types_supported JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports IESG RFC8414, Section 2 token_endpoint_auth_methods_supported JSON array containing a list of client authentication methods supported by this token endpoint IESG RFC8414, Section 2 token_endpoint_auth_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint IESG RFC8414, Section 2 service_documentation URL of a page containing human-readable information that developers might want or need to know when using the authorization server IESG RFC8414, Section 2 ui_locales_supported Languages and scripts supported for the user interface, represented as a JSON array of language tag values from BCP 47 IESG RFC8414, Section 2 op_policy_uri URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server IESG RFC8414, Section 2 op_tos_uri URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service IESG RFC8414, Section 2 revocation_endpoint URL of the authorization server's OAuth 2.0 revocation endpoint IESG RFC8414, Section 2 revocation_endpoint_auth_methods_supported JSON array containing a list of client authentication methods supported by this revocation endpoint IESG RFC8414, Section 2 revocation_endpoint_auth_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint for the signature on the JWT used to authenticate the client at the revocation endpoint IESG RFC8414, Section 2 introspection_endpoint URL of the authorization server's OAuth 2.0 introspection endpoint IESG RFC8414, Section 2 introspection_endpoint_auth_methods_supported JSON array containing a list of client authentication methods supported by this introspection endpoint IESG RFC8414, Section 2 introspection_endpoint_auth_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms supported by the introspection endpoint for the signature on the JWT used to authenticate the client at the introspection endpoint IESG RFC8414, Section 2 code_challenge_methods_supported PKCE code challenge methods supported by this authorization server IESG RFC8414, Section 2 signed_metadata Signed JWT containing metadata values about the authorization server as claims IESG RFC8414, Section 2.1 device_authorization_endpoint URL of the authorization server's device authorization endpoint IESG RFC8628, Section 4 tls_client_certificate_bound_access_tokens Indicates authorization server support for mutual-TLS client certificate-bound access tokens. IESG RFC8705, Section 3.3 mtls_endpoint_aliases JSON object containing alternative authorization server endpoints, which a client intending to do mutual TLS will use in preference to the conventional endpoints. IESG RFC8705, Section 5 nfv_token_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms supported by the server for signing the JWT used as NFV Token ETSI GS NFV-SEC 022 V2.7.1 nfv_token_encryption_alg_values_supported JSON array containing a list of the JWE encryption algorithms (alg values) supported by the server to encode the JWT used as NFV Token ETSI GS NFV-SEC 022 V2.7.1 nfv_token_encryption_enc_values_supported JSON array containing a list of the JWE encryption algorithms (enc values) supported by the server to encode the JWT used as NFV Token ETSI GS NFV-SEC 022 V2.7.1 userinfo_endpoint URL of the OP's UserInfo Endpoint OpenID Connect Discovery 1.0, Section 3 acr_values_supported JSON array containing a list of the Authentication Context Class References that this OP supports OpenID Connect Discovery 1.0, Section 3 subject_types_supported JSON array containing a list of the Subject Identifier types that this OP supports OpenID Connect Discovery 1.0, Section 3 id_token_signing_alg_values_supported JSON array containing a list of the JWS "alg" values supported by the OP for the ID Token OpenID Connect Discovery 1.0, Section 3 id_token_encryption_alg_values_supported JSON array containing a list of the JWE "alg" values supported by the OP for the ID Token OpenID Connect Discovery 1.0, Section 3 id_token_encryption_enc_values_supported JSON array containing a list of the JWE "enc" values supported by the OP for the ID Token OpenID Connect Discovery 1.0, Section 3 userinfo_signing_alg_values_supported JSON array containing a list of the JWS "alg" values supported by the UserInfo Endpoint OpenID Connect Discovery 1.0, Section 3 userinfo_encryption_alg_values_supported JSON array containing a list of the JWE "alg" values supported by the UserInfo Endpoint OpenID Connect Discovery 1.0, Section 3 userinfo_encryption_enc_values_supported JSON array containing a list of the JWE "enc" values supported by the UserInfo Endpoint OpenID Connect Discovery 1.0, Section 3 request_object_signing_alg_values_supported JSON array containing a list of the JWS "alg" values supported by the OP for Request Objects OpenID Connect Discovery 1.0, Section 3 request_object_encryption_alg_values_supported JSON array containing a list of the JWE "alg" values supported by the OP for Request Objects OpenID Connect Discovery 1.0, Section 3 request_object_encryption_enc_values_supported JSON array containing a list of the JWE "enc" values supported by the OP for Request Objects OpenID Connect Discovery 1.0, Section 3 display_values_supported JSON array containing a list of the "display" parameter values that the OpenID Provider supports OpenID Connect Discovery 1.0, Section 3 claim_types_supported JSON array containing a list of the Claim Types that the OpenID Provider supports OpenID Connect Discovery 1.0, Section 3 claims_supported JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for OpenID Connect Discovery 1.0, Section 3 claims_locales_supported Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP 47 language tag values OpenID Connect Discovery 1.0, Section 3 claims_parameter_supported Boolean value specifying whether the OP supports use of the "claims" parameter OpenID Connect Discovery 1.0, Section 3 request_parameter_supported Boolean value specifying whether the OP supports use of the "request" parameter OpenID Connect Discovery 1.0, Section 3 request_uri_parameter_supported Boolean value specifying whether the OP supports use of the "request_uri" parameter OpenID Connect Discovery 1.0, Section 3 require_request_uri_registration Boolean value specifying whether the OP requires any "request_uri" values used to be pre-registered OpenID Connect Discovery 1.0, Section 3 require_signed_request_object Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. IETF RFC9101, Section 10.5 pushed_authorization_request_endpoint URL of the authorization server's pushed authorization request endpoint IESG RFC9126, Section 5 require_pushed_authorization_requests Indicates whether the authorization server accepts authorization requests only via PAR. IESG RFC9126, Section 5 introspection_signing_alg_values_supported JSON array containing a list of algorithms supported by the authorization server for introspection response signing IETF RFC9701, Section 7 introspection_encryption_alg_values_supported JSON array containing a list of algorithms supported by the authorization server for introspection response content key encryption (alg value) IETF RFC9701, Section 7 introspection_encryption_enc_values_supported JSON array containing a list of algorithms supported by the authorization server for introspection response content encryption (enc value) IETF RFC9701, Section 7 authorization_response_iss_parameter_supported Boolean value indicating whether the authorization server provides the iss parameter in the authorization response. IETF RFC9207, Section 3 check_session_iframe URL of an OP iframe that supports cross-origin communications for session state information with the RP Client, using the HTML5 postMessage API OpenID Connect Session Management 1.0, Section 3.3 frontchannel_logout_supported Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support OpenID Connect Front-Channel Logout 1.0, Section 3 backchannel_logout_supported Boolean value specifying whether the OP supports back-channel logout, with true indicating support OpenID Connect Back-Channel Logout 1.0, Section 2 backchannel_logout_session_supported Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP OpenID Connect Back-Channel Logout 1.0, Section 2 end_session_endpoint URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP OpenID Connect RP-Initiated Logout 1.0, Section 2.1 backchannel_token_delivery_modes_supported Supported CIBA authentication result delivery modes OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4 backchannel_authentication_endpoint CIBA Backchannel Authentication Endpoint OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4 backchannel_authentication_request_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms supported for validation of signed CIBA authentication requests OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4 backchannel_user_code_parameter_supported Indicates whether the OP supports the use of the CIBA user_code parameter. OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4 authorization_details_types_supported JSON array containing the authorization details types the AS supports IETF RFC9396, Section 10 dpop_signing_alg_values_supported JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs IETF RFC9449, Section 5.1 client_registration_types_supported Client Registration Types Supported Section 5.1.3 of OpenID Federation 1.0 federation_registration_endpoint Federation Registration Endpoint Section 5.1.3 of OpenID Federation 1.0 signed_jwks_uri URL referencing a signed JWT having this authorization server's JWK Set document as its payload Section 5.2.1 of OpenID Federation 1.0 jwks JSON Web Key Set document, passed by value Section 5.2.1 of OpenID Federation 1.0 organization_name Human-readable name representing the organization owning this authorization server Section 5.2.2 of OpenID Federation 1.0 display_name Human-readable name of the authorization server to be presented to the End-User Section 5.2.2 of OpenID Federation 1.0 description Human-readable brief description of this authorization server presentable to the End-User Section 5.2.2 of OpenID Federation 1.0 keywords JSON array with one or more strings representing search keywords, tags, categories, or labels that apply to this authorization server Section 5.2.2 of OpenID Federation 1.0 contacts Array of strings representing ways to contact people responsible for this authorization server, typically email addresses Section 5.2.2 of OpenID Federation 1.0 logo_uri URL that references a logo for the organization owning this authorization server Section 5.2.2 of OpenID Federation 1.0 information_uri URL for documentation of additional information about this authorization server viewable by the End-User Section 5.2.2 of OpenID Federation 1.0 organization_uri URL of a Web page for the organization owning this authorization server Section 5.2.2 of OpenID Federation 1.0 protected_resources JSON array containing a list of resource identifiers for OAuth protected resources IETF RFC9728, Section 4 Specification Required Michael Jones, Dick Hardt Registration requests should be sent to oauth-ext-review@ietf.org, as described in . If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list. resource Protected resource's resource identifier URL IETF RFC9728, Section 2 authorization_servers JSON array containing a list of OAuth authorization server issuer identifiers IETF RFC9728, Section 2 jwks_uri URL of the protected resource's JWK Set document IETF RFC9728, Section 2 scopes_supported JSON array containing a list of the OAuth 2.0 scope values that are used in authorization requests to request access to this protected resource IETF RFC9728, Section 2 bearer_methods_supported JSON array containing a list of the OAuth 2.0 bearer token presentation methods that this protected resource supports IETF RFC9728, Section 2 resource_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms (alg values) supported by the protected resource for signed content IETF RFC9728, Section 2 resource_name Human-readable name of the protected resource IETF RFC9728, Section 2 resource_documentation URL of a page containing human-readable information that developers might want or need to know when using the protected resource IETF RFC9728, Section 2 resource_policy_uri URL of a page containing human-readable information about the protected resource's requirements on how the client can use the data provided by the protected resource IETF RFC9728, Section 2 resource_tos_uri URL of a page containing human-readable information about the protected resource's terms of service IETF RFC9728, Section 2 tls_client_certificate_bound_access_tokens Boolean value indicating protected resource support for mutual-TLS client certificate-bound access tokens IETF RFC9728, Section 2 authorization_details_types_supported JSON array containing a list of the authorization details type values supported by the resource server when the authorization_details request parameter is used IETF RFC9728, Section 2 dpop_signing_alg_values_supported JSON array containing a list of the JWS alg values supported by the resource server for validating DPoP proof JWTs IETF RFC9728, Section 2 dpop_bound_access_tokens_required Boolean value specifying whether the protected resource always requires the use of DPoP-bound access tokens IETF RFC9728, Section 2 signed_metadata Signed JWT containing metadata parameters about the protected resource as claims IETF RFC9728, Section 2.2 signed_jwks_uri URL referencing a signed JWT having the protected resource's JWK Set document as its payload Section 5.2.1 of OpenID Federation 1.0 jwks JSON Web Key Set document, passed by value Section 5.2.1 of OpenID Federation 1.0 organization_name Human-readable name representing the organization owning this protected resource Section 5.2.2 of OpenID Federation 1.0 description Human-readable brief description of this protected resource presentable to the End-User Section 5.2.2 of OpenID Federation 1.0 keywords JSON array with one or more strings representing search keywords, tags, categories, or labels that apply to this protected resource Section 5.2.2 of OpenID Federation 1.0 contacts Array of strings representing ways to contact people responsible for this protected resource, typically email addresses Section 5.2.2 of OpenID Federation 1.0 logo_uri URL that references a logo for the organization owning this protected resource Section 5.2.2 of OpenID Federation 1.0 organization_uri URL of a Web page for the organization owning this protected resource Section 5.2.2 of OpenID Federation 1.0 ETSI mailto:pnns&etsi.org 2019-07-22 Internet Engineering Steering Group mailto:iesg&ietf.org Internet Engineering Task Force mailto:ietf&ietf.org Kantara Initiative User-Managed Access Work Group mailto:staff&kantarainitiative.org 2018-04-23 OpenID Foundation Artifact Binding Working Group mailto:openid-specs-ab&lists.openid.net 2022-09-23 OpenID Foundation Digital Credentials Protocols Working Group mailto:openid-specs-digital-credentials-protocols&lists.openid.net 2025-10-03 OpenID Foundation FAPI Working Group mailto:openid-specs-fapi&lists.openid.net 2025-04-28 OpenID Foundation MODRNA Working Group mailto:openid-specs-mobile-profile&lists.openid.net 2022-12-01