The following are claims in common, used within the KYA (Know Your Agent), PAY (Payment), and KYA-PAY (combined Know Your Agent and Payment) Tokens.

Claim	Description
alg (algorithm)	REQUIRED - Cryptographic algorithm to sign the token
kid (key ID)	REQUIRED - JWT key ID
typ (type)	REQUIRED - Type of the token - MUST be `kya+jwt`, `pay+jwt`, or `kya-pay+jwt`

Payload

Claim	Description
iss (issuer)	REQUIRED - URL of the token's issuer. Used for discovering JWK Sets for token signature verification, via the `/.well-known/jwks.json` suffix mechanism.
sub (subject)	REQUIRED - Subject Identifier. Must be pairwise unique within a given issuer.
aud (audience)	REQUIRED - Audience (used for audience binding and replay attack mitigation), uniquely identifying the seller agent. A single string value.
iat (issued at)	REQUIRED - Identifies the time at which the JWT was issued. This claim must have a value in the past and can be used to determine the age of the JWT.
jti (JWT ID)	REQUIRED - Provides a unique identifier (UUID) for the JWT. The value may be used for rate limiting. Note a token may be used multiple times by the agent until it expires.
exp (expiration time)	REQUIRED - Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
sdm (seller domain)	OPTIONAL - Seller domain, associated with the audience claim, the token is intended for.
ori (originator)	OPTIONAL - URL of the token's originator.
env (environment)	OPTIONAL - Issuer environment (such as "production" or "sandbox"). Additional values may be defined and used.
ssi (Seller service ID)	OPTIONAL - Seller Service ID that this token was created for.
btg (buyer tag)	OPTIONAL - Buyer tag - an opaque reference ID internal to the buyer.

Additional claims MAY be defined and used in these tokens. The recipient MUST ignore any unrecognized claims.

Common Token Claims

The following are claims in common, used within the KYA (Know Your Agent), PAY (Payment), and KYA-PAY (combined Know Your Agent and Payment) Tokens.

Claim	Description
alg (algorithm)	REQUIRED - Cryptographic algorithm to sign the token
kid (key ID)	REQUIRED - JWT key ID
typ (type)	REQUIRED - Type of the token - MUST be `kya+jwt`, `pay+jwt`, or `kya-pay+jwt`

Claim	Description
iss (issuer)	REQUIRED - URL of the token's issuer. Used for discovering JWK Sets for token signature verification, via the `/.well-known/jwks.json` suffix mechanism.
sub (subject)	REQUIRED - Subject Identifier. Must be pairwise unique within a given issuer.
aud (audience)	REQUIRED - Audience (used for audience binding and replay attack mitigation), uniquely identifying the seller agent. A single string value.
iat (issued at)	REQUIRED - Identifies the time at which the JWT was issued. This claim must have a value in the past and can be used to determine the age of the JWT.
jti (JWT ID)	REQUIRED - Provides a unique identifier (UUID) for the JWT. The value may be used for rate limiting. Note a token may be used multiple times by the agent until it expires.
exp (expiration time)	REQUIRED - Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
sdm (seller domain)	OPTIONAL - Seller domain, associated with the audience claim, the token is intended for.
ori (originator)	OPTIONAL - URL of the token's originator.
env (environment)	OPTIONAL - Issuer environment (such as "production" or "sandbox"). Additional values may be defined and used.
ssi (Seller service ID)	OPTIONAL - Seller Service ID that this token was created for.
btg (buyer tag)	OPTIONAL - Buyer tag - an opaque reference ID internal to the buyer.

Additional claims MAY be defined and used in these tokens. The recipient MUST ignore any unrecognized claims.

Common Token Claims