tplooker
commented
4 years ago If what you are producing is a token then I would recommend JWT as that was its original intent and the fields you have listed appear to line up with those defined by the JWT RFC.
If what you are producing is a secure message then I would recommend using a JWM.
https://wiki.idesg.org/wiki/index.php/High_Assurance_AZ_Token#AZ_Token
This MAY BE proposed for use in US healthcare, at some point