Security Event Token


Security Event Token (SET) is defined in RFC 8417 and defines the Security Event token, which may be distributed via a protocol such as HTTP.

Security Event Token specification profiles the JSON Web Token (JWT) and may be optionally signed and/or encrypted.

Security Event Token describes a statement of fact that may be shared by an event publisher with event subscribers.

The following new claims are defined by this specification:

events (Security Events)#

"events" Claim This claim contains a set of event statements that each provide information describing a single logical event that has occurred about a security subject (e.g., a state change to the subject). Multiple event identifiers with the same value MUST NOT be used. The "events" claim MUST NOT be used to express multiple independent logical events. The value of the "events" claim is a JSON Object whose members are name/value pairs whose names are URIs identifying the event statements being expressed. Event identifiers SHOULD be stable values (e.g., a permanent URL for an event specification). For each name present, the corresponding value MUST be a JSON object. The JSON object MAY be an empty object ("{}"), or it MAY be a JSON object containing data described by the profiling specification.

"txn" (Transaction Identifier) Claim#

txn is An OPTIONAL string value that represents a unique transaction identifier. In cases in which multiple related JWTs are issued, the transaction identifier claim can be used to correlate these related JWTs. Note that this claim can be used in JWTs that are SETs and also in JWTs using non-SET profiles.

"toe" (Time of Event) Claim#

"toe" is a value that represents the date and time at which the event occurred. This value is a NumericDate (see Section 2 of RFC 7519). By omitting this claim, the issuer indicates that they are not sharing an event time with the recipient. (Note that in some use cases, the represented time might be approximate; statements about the accuracy of this field MAY be made by profiling specifications.) This claim is OPTIONAL.

Structured Syntax Suffix Registration#

IANA has registered the "+jwt" Structured Syntax Suffix RFC 6838 in the "Structured Syntax Suffix" registry IANA.StructuredSuffix in the manner described in RFC 6838, which can be used to indicate that the media type is encoded as a JWT.

More Information#

There might be more information for this subject on one of the following: