Skip to content

Understanding JWT Claims

Detailed guide on using the JWT Decoder.

Understanding JWT Claims

Claims are the building blocks of a JWT payload. There are three types of claims.

Registered Claims

These are predefined standard claims defined by the JWT specification (RFC 7519):

Claim Full Name Description
iss Issuer Identifies who issued the token
sub Subject Identifies the subject (usually a user)
aud Audience Identifies the recipients the token is intended for
exp Expiration Unix timestamp after which the token expires
nbf Not Before Unix timestamp before which the token is not valid
iat Issued At Unix timestamp when the token was created
jti JWT ID Unique identifier for the token

Public Claims

These are claim names registered in the IANA JSON Web Token Claims registry or defined using a collision-resistant name, typically a URI:

{
  "https://api.example.com/roles": ["admin"],
  "https://api.example.com/tenant": "acme-corp"
}

Private Claims

These are custom claims agreed upon between the issuer and consumer:

{
  "user_id": "abc123",
  "department": "engineering"
}

Security Considerations

  • Registered claims provide interoperability but are not required
  • Never store sensitive data (passwords, credit cards) in any claim — the payload is only base64-encoded, not encrypted
  • Always validate exp on the server side

Ready to decode?

Decode and inspect JWTs instantly in your browser.

Launch JWT Decoder

Related Tools

Try these complementary developer tools:

Popular Developer Tools

Most-used tools on LangStop