121

I generated a JWT and there are some claims which I understand well, but there is a claim called kid in header. Does anyone know what it means?

I generated the token using auth0.com

Spencer Kormos
  • 8,381
  • 3
  • 28
  • 45
tylkonachwile
  • 2,025
  • 4
  • 16
  • 28
  • Refer this Url for solution ;-) https://stackoverflow.com/questions/72278051/why-is-jwtdecode-returning-status-kid-empty-unable-to-lookup-corr – Subodh Jun 22 '22 at 17:08

2 Answers2

146

kid is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.

Once signed, a JWT is a JWS. Consider the definition from the RFC 7515:

4.1.4. "kid" (Key ID) Header Parameter

The kid (key ID) Header Parameter is a hint indicating which key was used to secure the JWS. This parameter allows originators to explicitly signal a change of key to recipients. The structure of the kid value is unspecified. Its value MUST be a case-sensitive string. Use of this Header Parameter is OPTIONAL.

When used with a JWK, the kid value is used to match a JWK kid parameter value.

Sébastien Le Callonnec
  • 26,254
  • 8
  • 67
  • 80
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • 1
    So it means that kid parameter can be used with HS256 algorithm only? right? – Aman Gupta Jan 18 '21 at 10:17
  • this answer is objectively correct, but sometimes its useful to keep track of the wrong answers out there - https://github.com/distribution/distribution/issues/813 – Dave Ankin Aug 22 '21 at 08:00
  • @AmanGupta What makes you think only `HS256` has key-identifiers? Or that _only_ `HS256` use-cases require key lookup/identification? – Dai Jun 23 '23 at 00:32
  • Also good to mention https://www.rfc-editor.org/rfc/rfc7638 which is the standard some tools uses to calculate kid. – toppk Jul 24 '23 at 04:23
17

The kid (key ID) claim is an optional header claim, used to specify the key for validating the signature.

It is described here: http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName

Lukas Kolletzki
  • 2,126
  • 3
  • 22
  • 30
  • 14
    Documentation drafts shouldn't be used as reference when the final version of the documentation is available. The `kid` claim has been moved from the JWT to the JWS and JWE specifications. – cassiomolin May 09 '17 at 13:15