# Claim envelope for an emergency (break-glass) human principal. Short
# expiry, emergency role, requires MFA per the profile, and triggers
# durable audit recording on every flex-auth decision that involves it.
#
# Reference: NetKingdom IAM Profile v0.2 "Emergency And Break-Glass
# Access". flex-auth maps the emergency role plus break_glass assurance to
# a `record_emergency` obligation on every decision.

iss: https://sso.netkingdom.example/realms/netkingdom
sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
aud:
  - flex-auth
exp: 1767226200    # iat + 10 minutes; emergency tokens are short-lived
iat: 1767225600
auth_time: 1767225595
tenant: tenant:platform
principal_type: human
azp: ops-console
preferred_username: ada
email: ada@netkingdom.example
scope: openid profile hub:admin
roles:
  - emergency
  - admin
groups:
  - /platform/stewards
amr:
  - pwd
  - otp
  - hwk
acr: "3"
assurance:
  level: break_glass
  methods:
    - pwd
    - otp
    - hwk
  mfa: true
  source: keycloak
  at: 1767225595
emergency:
  incident_id: INC-2026-0042
  authorized_by: "team:platform-stewards"
  reason: "credential rotation playbook step 4"