# 20154: Invalid Claim Set

Log Type: TWILIO

Log Level: ERROR

## Description

This error indicates that the JWT was parsed successfully, but one or more claims in the payload are invalid.

### Possible causes

* One of the required claims is missing from the payload.
* For Public Key Client Validation, the payload must include the `hrh` and `rqh` claims; `hrh` is the semicolon-delimited list of lowercase headers used in the request-hash calculation (must at least include `Host` and `Authorization`), and `rqh` is the hash of the canonicalized HTTP request. Omitting or misformatting these claims will invalidate the set.
* For Public Key Client Validation, required payload claims include `iss`, `sub`, and `exp`; tokens received after `exp` (allowing for clock skew) or with `exp - nbf` exceeding the documented maximum are rejected, which makes the claim set invalid.

### Possible solutions

* Ensure you are using the latest Twilio Helper Library so required JWT claims are produced correctly.
* When using Public Key Client Validation:
  * Include both `hrh` and `rqh` in the payload; ensure `hrh` lists `Host` and `Authorization`.
  * Attach the JWT on requests via the `Twilio-Client-Validation` header.
  * Verify `iss`, `sub`, `exp`, and (if used) `nbf` satisfy the documented constraints, including the maximum allowed `exp - nbf` window.
* If you only need to confirm that the token is well-formed (structure/signature presence), use a standard JWT inspection tool before retesting.

#### Additional resources

* [Public Key Client Validation Quickstart](/docs/iam/pkcv/quickstart)
* [Access Tokens](/docs/iam/access-tokens)
* [Debugging Your Twilio Application](/docs/usage/troubleshooting/debugging-your-application)