pub struct Claims {Show 15 fields
pub iss: String,
pub sub: String,
pub exp: i64,
pub iat: i64,
pub nbf: Option<i64>,
pub jti: String,
pub client_id: String,
pub account_type: Option<String>,
pub caps: Vec<String>,
pub scopes: Vec<String>,
pub admin: bool,
pub active_ppnum: Option<String>,
pub delegator: Option<String>,
pub cid: Option<String>,
pub sid: Option<String>,
}Fields§
§iss: String§sub: String§exp: i64§iat: i64§nbf: Option<i64>§jti: String§client_id: String§account_type: Option<String>account_type (M40) — "human" | "ai_agent" | "programmable" |
None (legacy admit). Whitelist enforced verifier-side; arbitrary
strings are rejected with AuthError::AccountTypeInvalid before this
struct is constructed. "programmable" = External Developer app
client_credentials token.
caps: Vec<String>caps (M41) — capability list. Empty when absent or empty-array
on the wire (the engine collapses both to the same surface so
callers’ default-deny check is caps.contains(&"x")). Wire-shape
validation (must be a JSON array of strings) lives in
engine::check_domain; semantic interpretation of each
capability string is per-surface (PAS, PCS, RCW each own their
vocabulary).
scopes: Vec<String>scopes (M42) — OAuth scope list. Empty when absent or empty-
array (same collapse as caps). Engine bounds the array length
at ≤ 256; entries beyond that are a forgery / misconfiguration
signal that pessimizes per-request scope checks. Conceptually
distinct from caps (scopes are externally granted via OAuth;
caps are internally minted by PAS), so the surfacing is duplicated
rather than unified — collapsing them would force callers to
untangle two authorization vectors at every check site.
admin: booladmin (M44) — token claims admin authority. Admin authority
is DB-determined (STANDARDS_AUTH_PPOPPO §3.2: is_admin = TRUE AND lifecycle_state = 'active' AND active passkey ≥ 1). This
claim is the fast pre-flight signal — when admin == true,
the engine has already proven active_ppnum falls in the admin
band (defense in depth against stolen-signing-key forgeries).
Callers MUST still call the DB-side is_admin invariant — this
flag tells them whether to even bother.
active_ppnum: Option<String>active_ppnum (M44 + UI display) — the digit-form ppnum the
session is currently active under. UI surfaces render this;
sub (ULID) is the immutable authorization axis. Engine reads
it for the M44 admin-band check and surfaces it unchanged.
delegator: Option<String>delegator — Token Exchange chain’s delegating principal
ppnum_id. Surfaced for audit logs (which human authorized the
delegated session). None for tokens that aren’t part of a
chain. Wire name is delegator (the matrix’s earlier actor
was retired — RFC 8693 reserves actor for token-exchange
chain semantics that don’t apply here).
cid: Option<String>cid — WebAuthn credential id that authenticated this session
(passkey path only). Surfaces for forensic provenance and
future selective-session-kill flows. None on every non-
passkey path so audit logs distinguish authentication methods
without a per-row lookup.
sid: Option<String>sid (M36) — session row id (user_sessions.session_id). When
present, the engine queries the substrate via
cfg.session_revocation.is_active(sub, sid) and refuses if the
row is absent (STANDARDS_JWT_DETAILS_MITIGATION §E “row deletion
= revocation”). None on machine tokens / AI-agent flows that
have no session row to check; engine short-circuits the gate
when None so non-session-bound tokens admit (legacy /
pre-Phase-5 tokens included).