IETF logoDraft -02 of the JWS Unencoded Payload Option specification makes these updates:

  • Required that “b64” be integrity protected.
  • Stated that if the JWS has multiple signatures and/or MACs, the “b64” Header Parameter value MUST be the same for all of them.
  • Stated that if applications use content encoding, they MUST specify whether the encoded or unencoded payload is used as the JWS Payload value.
  • Reorganized the Unencoded Payload Content Restrictions section.
  • Added an “updates” clause for RFC 7519 because this specification prohibits JWTs from using "b64":false.

Thanks for the working group feedback that resulted in these improvements.

The specification is available at:

An HTML formatted version is also available at: