Re: New issue: Header type for JWT format values from Darrel Miller on 2025-07-22 (ietf-http-wg@w3.org from July to September 2025)

From: Darrel Miller <darrel@tavis.ca>
Date: Tue, 22 Jul 2025 21:14:27 +0000
To: Rory Hewitt <rory.hewitt@gmail.com>, Atul Tulshibagwale <atul@sgnl.ai>
CC: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <SJ2PR01MB81020981ABA19CF9E82A5208A35CA@SJ2PR01MB8102.prod.exchangelabs.com>

Rory,

The current guidance is that all new HTTP fields are defined using structured field values.

Darrel

________________________________
From: Rory Hewitt <rory.hewitt@gmail.com>
Sent: Tuesday, July 22, 2025 5:06 PM
To: Atul Tulshibagwale <atul@sgnl.ai>
Cc: Amos Jeffries <squid3@treenet.co.nz>; ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: Re: New issue: Header type for JWT format values

You are correct - I meant the "Authorization" header - apologies for the confusion.

I guess my question is why you need to use a Structured Field at all - surely the server can define that it expects the field value to simply be the JWT?

Not all fields need to be structured - you can just use this format:

Txn-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

Received on Tuesday, 22 July 2025 21:14:33 UTC