cloudflare · patriciasantaana · Oct 28, 2024 · Oct 23, 2024 · Oct 24, 2024 · Oct 24, 2024
@@ -34,29 +34,4 @@ As an example, to send the header `x-send-jwt-claim-user` request header to the
 4. Enter a rule name and a filter expression, if applicable.
 5. Choose **Set dynamic**.
 6. Set the header name.
-7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the JWT claim you want to add to the header.
-
-## Available fields
-
-You can create Transform Rules using more claims present in tokens processed by [JWT Validation](/api-shield/security/jwt-validation/).
-
-- `http.request.jwt.claims.aud,`
-- `http.request.jwt.claims.aud.names,`
-- `http.request.jwt.claims.aud.values,`
-- `http.request.jwt.claims.iat.sec,`
-- `http.request.jwt.claims.iat.sec.names,`
-- `http.request.jwt.claims.iat.sec.values,`
-- `http.request.jwt.claims.iss,`
-- `http.request.jwt.claims.iss.names,`
-- `http.request.jwt.claims.iss.values,`
-- `http.request.jwt.claims.jti,`
-- `http.request.jwt.claims.jti.names,`
-- `http.request.jwt.claims.jti.values,`
-- `http.request.jwt.claims.nbf.sec,`
-- `http.request.jwt.claims.nbf.sec.names,`
-- `http.request.jwt.claims.nbf.sec.values,`
-- `http.request.jwt.claims.sub,`
-- `http.request.jwt.claims.sub.names,`
-- `http.request.jwt.claims.sub.values,`
-- `cf.api_gateway.auth_id_present,`
-- `cf.api_gateway.request_violates_schema`
+7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/dynamic-fields/#json-web-tokens-validation-claims) you want to add to the header.
@@ -511,3 +511,67 @@ Identifies whether a request comes from a worker or not. When a request comes fr
 ## Corporate Proxy
 
 <Render file="corporate_proxy" product="bots" />
+
+## JSON Web Tokens Validation claims
+
+[API Shield](/api-shield/) users can now create [custom rules](/waf/custom-rules/) using claims present in tokens processed by [JSON Web Tokens Validation](/api-shield/security/jwt-validation/).
+
+### `aud` (audience)
+
+`http.request.jwt.claims.aud` `Map<Array<String>>` <br />
+`http.request.jwt.claims.aud.names` `Array<String>` <br />
+`http.request.jwt.claims.aud.values` `Array<String>` <br />
+
+The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value.
+
+<Render file="jwt-claims" product="api-shield" />
+
+### `iat` (issued at)
+
+`http.request.jwt.claims.iat.sec` `Map<Array<Integer>>` <br />
+`http.request.jwt.claims.iat.sec.names` `Array<String>` <br />
+`http.request.jwt.claims.iat.sec.values` `Array<Integer>` <br />
+
+The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+
+<Render file="jwt-claims" product="api-shield" />
+
+### `iss` (issuer)
+
+`http.request.jwt.claims.iss` `Map<Array<String>>` <br />
+`http.request.jwt.claims.iss.names` `Array<String>` <br />
+`http.request.jwt.claims.iss.values` `Array<String>` <br />
+
+The `iss` (issuer) claim identifies the principal that issued the JWT.
+
+<Render file="jwt-claims" product="api-shield" />
+
+### `jti` (JWT ID)
+
+`http.request.jwt.claims.jti` `Map<Array<String>>` <br />
+`http.request.jwt.claims.jti.names`	`Array<String>` <br />
+`http.request.jwt.claims.jti.values` `Array<String>` <br />
+
+The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+
+<Render file="jwt-claims" product="api-shield" />
+
+### `nbf` (not before)
+
+`http.request.jwt.claims.nbf.sec` `Map<Array<Integer>>` <br />
+`http.request.jwt.claims.nbf.sec.names` `Array<String>` <br />
+`http.request.jwt.claims.nbf.sec.values` `Array<Integer>` <br />
+
+The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+
+<Render file="jwt-claims" product="api-shield" />
+
+### `sub` (subject)
+
+`http.request.jwt.claims.sub` `Map<Array<String>>` <br />
+`http.request.jwt.claims.sub.names` `Array<String>` <br />
+`http.request.jwt.claims.sub.values` `Array<String>` <br />
+
+The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.
+
+<Render file="jwt-claims" product="api-shield" />
@@ -0,0 +1,6 @@
+---
+{}
+
+---
+
+Refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519 for more information.