# OAuth Schemas for OAuth token requests, including scopes, assertion JWTs, and subject identifiers. ## Assertion JWT {#assertionjwt} A JSON Web Token (JWT) used for authorization in [OAuth token requests](/docs/developer/rest-api/ua/operations/oauth/#requestoauthtoken). The JWT must be signed with the private key corresponding to the `client_id` in the `kid` header using the ES384 algorithm. **All of:** - **Headers** `object` Assertion JWT headers - **`alg`** `string` **REQUIRED** The signing algorithm. Possible values: `ES384` - **`kid`** `string` **REQUIRED** The key used to sign the JWT, the `client_id`. - **Claims** `object` Assertion JWT claims - **`aud`** `string` **REQUIRED** The valid request endpoint. Example: `https://oauth2.asnapius.com/token` - **`exp`** `integer` **REQUIRED** The `assertion`'s expiration timestamp in seconds since epoch, after which it is not valid. The expiry must not be more than 10 minutes in the future. This is for the `assertion`, not for the token that will be returned. Example: `1681862754` - **`iat`** `integer` **REQUIRED** The issue timestamp in seconds since epoch. Example: `168186250` - **`ipaddr`** `string` A space-delimited list of CIDR representations of valid IP addresses to which the issued token is restricted. - **`iss`** `string` **REQUIRED** The issuer, the `client_id`. - **`nonce`** `string` **REQUIRED** A unique string that must not have been used recently with this `client_id`. We will store this for a minimum of 2 hours. If you are relying on the nonce to defend against replay attacks, it is recommended to also enforce a narrow *ipaddr* range in order to prevent requests that utilize the returned access token from being replayed by an outside client. Min length: 1, Max length: 50 - **`scope`** `string` <[OAuth Scope]({{< ref "/developer/rest-api/ua/schemas/oauth/" >}}#oauthscope)> A space-delimited list of scopes to which the returned claim should be restricted. If not provided, the full list of scopes the `client_id` is granted will be in the returned claim. The value of the scope parameter is a list of space-delimited, case-sensitive strings. If multiple scopes are specified, their order does not matter. Each string adds an additional access range to the requested scope. For more information about scope values, see [OAuth token scopes](/docs/developer/rest-api/ua/api-auth-reference/#oauth-token-scopes) in the *Airship API Authorization Reference* documentation. * `att`: Attachments * `chn`: Channels * `tpl`: Content * `evt`: Events * `lst`: Lists * `nu`: Named Users * `pln`: Pipelines * `psh`: Push * `sch`: Schedules Possible values: `att`, `chn`, `tpl`, `evt`, `lst`, `nu`, `pln`, `psh`, `sch` - **`sub`** `object` <[Subject]({{< ref "/developer/rest-api/ua/schemas/oauth/" >}}#subject)> **REQUIRED** A space-delimited set of identifiers for which subjects a token is allowed. An `app` subject is required. Example: `app:JQIMcndxIHWy2QISpt1SpZ`. A space-delimited set of identifiers for which subjects a token is allowed. Example: `app:JQIMcndxIHWy2QISpt1SpZ` * `app`: May operate on the given app **Used in:** - [Request token]({{< ref "/developer/rest-api/ua/operations/oauth/" >}}#requestoauthtoken) --- ## OAuth Scope {#oauthscope} The value of the scope parameter is a list of space-delimited, case-sensitive strings. If multiple scopes are specified, their order does not matter. Each string adds an additional access range to the requested scope. For more information about scope values, see [OAuth token scopes](/docs/developer/rest-api/ua/api-auth-reference/#oauth-token-scopes) in the *Airship API Authorization Reference* documentation. * `att`: Attachments * `chn`: Channels * `tpl`: Content * `evt`: Events * `lst`: Lists * `nu`: Named Users * `pln`: Pipelines * `psh`: Push * `sch`: Schedules `string` Allowed values: `att`, `chn`, `tpl`, `evt`, `lst`, `nu`, `pln`, `psh`, `sch` **Used in:** - [Request token]({{< ref "/developer/rest-api/ua/operations/oauth/" >}}#requestoauthtoken) --- ## Subject {#subject} A space-delimited set of identifiers for which subjects a token is allowed. Example: `app:JQIMcndxIHWy2QISpt1SpZ` * `app`: May operate on the given app **Used in:** - [Request token]({{< ref "/developer/rest-api/ua/operations/oauth/" >}}#requestoauthtoken) ---