This is an early review on behalf of the Internet Area Directorate.

From an INTDIR perspective, I don't see any particular issues — the document doesn't discuss much at the Internet layer (no addressing, tunneling, etc).

However, I do think the document has some nits that can be improved, and overall could be structured more clearly. Some points to consider:
- Much of Section 2.1 refers to a particular format of token (the "JWT-formatted token"), but continually is just referencing the main JWT RFC instead of a reference for the JWT token definition for this protocol. Having this link within the document to the common/canonical JWT-formatted token would make things much clearer, so the reader can see the full list of properties in their concrete instantiation. You may even want to consider moving the concrete definition, or an example of it, up to the top of Section 2 so readers can have an idea of the scope of the token before reading the abstract field descriptions. Having concrete examples for each field would be useful as well.
- In Section 2.1.2, it says "The access token is issued by the AS in a standard GNAP transaction". Can we get a reference for this standard transaction?
- It would be useful to add step-by-step instructions for generating and validating the tokens, with concrete examples and test vectors if possible.
- The registry in Section 6.5 seems to match against the "JWT-formatted" token fields ("is conveyed in the nbf claim of a [JWT] formatted token"). Do these apply outside of JWT? Clarifying how things work for the non-JWT case, if that is supported, would be good.
- In the security considerations, why is TLS protection not a MUST instead of a "have to"? Also, why give the exception where TLS is only required on untrusted networks? Do we actually want to encourage insecure connections on "trusted networks"?

Nits:
Section 7.3: "Cacheing" -> "Caching"
Section 8.1: "Medial" -> "Medical"; this sentence is also not a complete sentence.