Claim Name

Expected Value

Notes

alg

PS256

We can support RS256 as well if the ASPSP’s crypto libraries do not support RS256. However, PS256 is much more secure and follows FAPI recommendation

typ

JOSE

cty

json

kid

The key id of keypair used to sign the message.

We recommend that only kid is used for key lookups with a pre-shared JWKS URL.

Other alternatives do not offer similar security and controls and are currently unsupported by Ozone.

Claim Name

Expected Value

Example value for JWT issued by Ozone

Example value for JWT issued by ASPSP

iss

Mandatory

Should be set to be equal to the organization O in the TLS certificate subject that was used in the transport layer.

Ozone Financial Technology Limited

Bancorosa Limited

sub

Mandatory

Should be set to be equal to the organization unit OU in the TLS certificate that was used for MA transport.

Ozone UK Hub

Openbanking

aud

Mandatory

Identifier for the party receiving the JWT

The providerId assigned to the tenant.

Ozone Financial Technology Limited

exp

Mandatory

Expiration time for the JWT.

We recommend an expiry time of 10-30s and allow for a 10s clock skew

30

30

iat

Mandatory

Time when the JWT was issued in UTC seconds since epoch

The resource server processing the header should reject the JWT if the current time is < iss (after allowing for clock skew)

We recommend a 10s allowance for clock skew.

nbf

Optional

Time before which the JWT is invalid

The resource server processing the header should reject the JWT if the current time < nbf (after allowing for clock skew)

We recommend a 10s allowance for clock skew.

NOT SENT

jti

Optional

A unique identifier for the JWT

Uuid v4

UUID v4