Understanding JWT Claims
Detailed guide on using the JWT Decoder.
Understanding JWT Claims
Claims are the building blocks of a JWT payload. There are three types of claims.
Registered Claims
These are predefined standard claims defined by the JWT specification (RFC 7519):
| Claim | Full Name | Description |
|---|---|---|
iss |
Issuer | Identifies who issued the token |
sub |
Subject | Identifies the subject (usually a user) |
aud |
Audience | Identifies the recipients the token is intended for |
exp |
Expiration | Unix timestamp after which the token expires |
nbf |
Not Before | Unix timestamp before which the token is not valid |
iat |
Issued At | Unix timestamp when the token was created |
jti |
JWT ID | Unique identifier for the token |
Public Claims
These are claim names registered in the IANA JSON Web Token Claims registry or defined using a collision-resistant name, typically a URI:
{
"https://api.example.com/roles": ["admin"],
"https://api.example.com/tenant": "acme-corp"
}Private Claims
These are custom claims agreed upon between the issuer and consumer:
{
"user_id": "abc123",
"department": "engineering"
}Security Considerations
- Registered claims provide interoperability but are not required
- Never store sensitive data (passwords, credit cards) in any claim — the payload is only base64-encoded, not encrypted
- Always validate
expon the server side