STANDARD
JARM — Primer
JARM wraps authorization responses in a signed JWT, improving integrity and client validation at the OAuth redirect back‑channel.
Why it matters
Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.
Where it’s enforced
- Gateway: pre‑execution gating (plan/schema pins, params/egress)
- Shield: inline budgets/stream caps/content checks
- PDP: decisions with constraints/obligations/TTL
- IdP: passports, token exchange, consent/DPoP
How it works (high level)
JARM returns authorization responses as a signed JWT. Container includes iss, aud, exp, iat, state, and nonce. Clients MUST verify signature and expiry and handle replay protection.