JWTs should be generated using a procedure established in accordance with the guidance within the section API Authentication and JSON Web Tokens in Application Security.

For the JWT to be accepted, the following JWT claims MUST be provided:

Issued at timestamp (iat) - the number of seconds since the Unix epoch, defining when the JWT was issued.

Expiry timestamp (exp) - the number of seconds since the Unix epoch, defining when the JWT expires.

Subject timestamp (sub) - a unique identifier for the actor associated with the JWT.

The following claims are optional, but recommended:

Not before timestamp (nbf) - the number of seconds since the Unix epoch, defining when the JWT becomes valid.

In addition to these claims, the JWT should include any claims necessary for the OPA Policy attached to the API gateway to authorise the request.

For example, Vault Core provides the following default Rego policy attached to the API: