Why is NumericDate used as the date format in JWT?

trenskow · September 22, 2020, 11:22am

I was just curious…

Why has it been chosen in the RFC, that dates are represented as seconds since UNIX epoch?

Why wasn’t either milliseconds since UNIX epoch chosen (as .getTime() of JavaScript’s Date type returns) or ISO 8601 (as .toJSON() of JavaScript’s Date type returns) – both of which the Date constructor also allows. I use JWTs quite extensively, and it has always puzzled me, as to why this format what chosen, as it is not very “JavaScript natural”.

To me JSON is JavaScript Object Notation, and therefore it makes sense to use some JavaScript native date formatting?

So, I really just wanted to ask about the rationale.

I apogolize in advance if this has been answered before.

jmangelo · September 22, 2020, 1:49pm

You’ll likely have to go ask the spec authors or try to go spelunking in the OAuth working group mailing lists to see if the rationale was ever discussed there. My opinion would be that give JSON does not mandate a specific format, a format that would have good interoperability and be commonly supported would be a good choice.

In relation to why seconds and not milliseconds, not sure, likely milliseconds precision was not required and for a format aiming to be compact that would reduce a few characters.