Overview#JSON Web Token Best Current Practices is an Internet Draft for RFC Sub-series Best Current Practice (BCP).
Introduction#JSON Web Tokens, also known as JWTs RFC 7519, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. The JWT specification has seen rapid adoption because it encapsulates security-relevant information in one, easy to protect location, and because it is easy to implement using widely-available tools. One application area in which JWTs are commonly used is representing Digital Identity information, such as OpenID Connect id_tokens OpenID.Core and OAuth 2.0 RFC 6749 access_tokens and refresh tokens, the details of which are deployment-specific.
The goal of JSON Web Token Best Current Practices is to facilitate secure implementation and deployment of JWTs. Many of the recommendations in this document will actually be about implementation and use of the cryptographic mechanisms underlying JWTs that are defined by JSON Web Signature (JWS) RFC 7515, JSON Web Encryption (JWE) RFC 7516, and JSON Web Algorithms (JWA) RFC 7518. Others will be about use of the JWT claims themselves.