# Claim envelope for an emergency (break-glass) human principal. Short
# expiry, emergency role, requires MFA per the profile, and triggers
# durable audit recording on every flex-auth decision that involves it.
#
# Reference: NetKingdom IAM Profile v0.1 §"Human Override and Emergency
# Access". flex-auth maps this to principal_type=emergency and emits a
# `record_emergency` obligation on every decision.

iss: https://sso.netkingdom.example/realms/netkingdom
sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
aud:
  - flex-auth
exp: 1767226200    # iat + 10 minutes; emergency tokens are short-lived
iat: 1767225600
auth_time: 1767225595
azp: ops-console
preferred_username: ada
email: ada@netkingdom.example
scope: openid profile hub:admin
roles:
  - emergency
  - admin
amr:
  - pwd
  - otp
  - hwk
acr: "3"
emergency:
  incident_id: INC-2026-0042
  authorized_by: "team:platform-stewards"
  reason: "credential rotation playbook step 4"