Overview#CBOR Web Token is a compact means of representing claims to be transferred between two parties.
CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection.
With JSON Web Tokens (JWTs) a standardized format of security tokens has been defined and has found use in OAuth 2.0 and OpenID Connect deployments. With JSON Web Signatures (JWS) and JSON Web Encryption (JWE) security the content of the JWT, which comes in form of claims, is protected. The use of JSON for encoding information is popular for Web applications but it is still considered inefficient for use in many IoT systems that use low power radio technologies.
In this document an alternative encoding of claims is defined. Instead of using JSON, as provided by JWTs, this specification suggests the use of CBOR and calls this new structure 'CBOR Web Token (CWT)', which is a compact means of representing claims to be transferred between two parties. To protect the claims inside the CWT the CBOR Object Signing and Encryption (COSE) specification is re-used.
The suggested pronunciation of CWT is the same as the English word "cot".