Appendix A. JWT Examples

This appendix provides examples of JWTs.

A.1. Example Encrypted JWT

This section provides an example of an encrypted JWT. The encrypted JWT uses the JWE Compact Serialization.

The following example JOSE Header declares that:

The encoded object is a JWT
The JWT is encrypted
The Content Encryption Key (CEK) is encrypted using the RSA-OAEP algorithm
The JWT Claims Set is encrypted using the AES GCM algorithm

{"alg":"RSA-OAEP","enc":"A256GCM"}

The following is an example JWT Claims Set for the encrypted JWT:

{"iss":"joe",
 "exp":1300819380,
 "http://example.com/is_root":true}

The JWE Compact Serialization format is:

BASE64URL(UTF8(JWE Protected Header)) || '.' ||
BASE64URL(JWE Encrypted Key) || '.' ||
BASE64URL(JWE Initialization Vector) || '.' ||
BASE64URL(JWE Ciphertext) || '.' ||
BASE64URL(JWE Authentication Tag)

A.2. Example Nested JWT

This section provides an example of a nested JWT, demonstrating nested signing and encryption. In this example, the JWT Claims Set is first signed and then the resulting JWS is encrypted.

In the first step, a JWT Claims Set containing the claims is created and signed, creating a JWS. In the second step, this JWS is used as the plaintext for a JWE to be encrypted.

The JOSE Header for the inner JWT (JWS):

{"alg":"RS256"}

The JOSE Header for the outer JWT (JWE) contains a "cty" (content type) value of "JWT", indicating that a nested JWT is being carried:

{"alg":"RSA-OAEP","enc":"A256GCM","cty":"JWT"}

The JWT Claims Set is the same as in the previous example. The resulting nested JWT is a signed-then-encrypted JWT.

A.1. Example Encrypted JWT​

A.2. Example Nested JWT​

A.1. Example Encrypted JWT

A.2. Example Nested JWT