JWT claims (2024)

Table of Contents
Back up: what is a JSON web token? Structure of a JSON web token So, what is a JWT claim? Types of JWT claims Want auth without the headaches? Switch to Stytch. Registered claims Custom claims Manage user access with Stytch

In what is a JSON web token, we explored JSON web tokens (JWTs pronounced “jots”, for short) as a whole.

In this article we’ll dive into the meatiest part of a JSON web token: JWT claims.

Back up: what is a JSON web token?

A JSON web token is an open standard that securely relays information between clients and servers as a compact, self contained JSON object.

Simply put, it’s a form of secure communication between a client and server.

JSON web tokens’ overwhelming use case is user access management. By storing all user data client-side in the token – specifically as JWT claims – users remain both authenticated after their initial login and authorized to engage with the application according to their role and permissions.

Despite the broad range of claim values possible, all JSON web tokens take the same shape.

Structure of a JSON web token

JWTs include three components – a header, payload, and signature – that work together to store and protect user data.

Each string is Base64url encoded and separated with a dot, so all JWTs’ final form is header.payload.signature.

See Also
Online JWT DecoderImplementing Simple JWT Authentication in Django Rest Framework

JWT claims (1)

Read more about the role each JWT component plays in our article, what is a JSON web token?

So, what is a JWT claim?

Now that we know the function of a JWT (secure information transmission) and its core components (header, payload, signature), we’re ready to look at JWT claims.

JWT claims are the core information that JWTs transmit (kinda like the letter inside a sealed envelope).

The JWT claims included in the payload determine which information the JWT communicates (i.e., user identity, permissions, expiration of JWT, to name a few).

That said, developers can include however many claims they want in a given payload. They can also choose the type of claim that makes sense.

Types of JWT claims

JWT claims fall into three categories – registered, public, or private.

A quick formatting note: JWT claims are all three characters long no matter the type. This keeps the JWTs as compact as possible so servers can easily pass them back and forth.

JWT claims (2)

Want auth without the headaches? Switch to Stytch.

JWT claims (3)

Registered claims

Registered claims are pre-established and publicly documented. Below are the seven registered claims found in the official Internet Assigned Numbers Authority (IANA) and JWT databases:

  • Issuer Claim (“iss”): which application issued the JWT?
  • Subject Claim (“sub”): who is the user subject of the JWT?
  • Audience Claim (“aud”): which application is the JWT intended for?
  • Expiration Time Claim (“exp”): until what date/time can the JWT be accepted?
  • Not Before Claim (“nbf”): what date/time can the JWT start being accepted?
  • Issued At Claim (“iat”): when was the JWT issued?
  • JWT ID Claim (“jti”): which individual JWT is this?

Using a registered claim ensures your JWTs will operate smoothly across applications. This is because all libraries recognize these common, standardized claims.

Custom claims

Although it’s simplest to use registered claims, sometimes you’ll need to include user information outside the realm of those seven claims.

For example, if you want to store user metadata like email address or phone number, you’ll need to create your own custom claims.

There are two sub-categories of custom claims:

  1. Public claims: Developers define their own claims and register them with the IANA registry mentioned above.
  2. Private claims: Developers define their own claims but do not publish them. Instead, they make local agreements to ensure operability between private parties.

If you decide to register your custom claim, it’s critical that you name it something different than the registered claims. Collisions, in the case of JWTs, occur when a developer creates a custom claim with the same name as a registered term.

For example, if you’d like to associate a sandwich type with each user, you should not name your custom claim “sub.” Another application will read it as the registered “subject claim,” so your JWT won’t convey the user data that you want.

JWT claims (4)

Manage user access with Stytch

Stytch offers the tools to manage user access.

In addition to supporting registered claims and your own custom claims, our JSON web tokens include guardrails such as five minute expirations and automatic fallbacks to Stytch’s API once the local JSON web token expires.

You may have also seen sessions as an access management option. If you’re debating the two, you can learn more about the difference between JWTs vs. sessions on our blog.

JWT claims (2024)
Top Articles
7 Recession-Proof Passive Income Streams You Can Rely On, According to Experts
LLC loans: How to get funding for your business
Bulls, Nikola Vučević agree to 3-year, $60 million extension: Sources
Ou Football Brainiacs
Busted Newspaper Mcpherson Kansas
Scott Surratt Salary
Ew41.Ultipro
Cars for Sale by Owner in Shreveport, LA
6465319333
How to Write The New Twitter 𝕏 Logo - Hypefury
Tyler Perry's House of Payne | Tyler Perry's House Of Payne: 10 Episodes, News, Videos and Cast | BET US
Yuliett Torres Lives
The Licking Chicago Stony Island Menu
Medical conditions and pregnancy | Information
Unblocked Baseball Games 66
Terraria Enchanting
Magicseaweed Capitola
Tw's Bait And Tackle Fishing Report
VesalBlood ALTERNE: Diesem Fernen Traum - Ri47
Cookie Run Kingdom Wiki Characters
Tar Heels Baseball Schedule
Results from Form 1 of Page crazybutkool/crear_post.htm
Unwrap The Cash Ga Lottery
Mynusclevideo
Berklee College Of Music Academic Calendar
Gigamonster Outage
Retrogames.cc Unblocked
Preventice Learnworlds
Grown Ups - TV Tropes
Meetmyage Sign In
Syracuse Deadline
Davisk12
Cbs Fantasy Mlb
Gas Station Near Santa Barbara Airport
King Von Autopsy Pics.
Gas Prices In Ottawa Il
Baird Funeral Home Wayland Ny Obituaries
Terraria Static Refiner
Wheely 6 Abcya
Deer Shed Clover Sc
Arknights Gamepress
Jamie Kagol Married
The Attleboro Sun Chronicle Obituaries
Wnjn Tv Schedule
Bmw 328i e46 - oferte
northern virginia apartments / housing for rent - craigslist
Epower Raley's
Miami Valley Harness Picks
66 Ez Basketball Stars
Star Citizen 2024 Review - Is it worth buying? - Gamers By Night
Latest Posts
3 Monthly Dividend Stocks for Consistent Passive Income
How to get an LLC loan | Bankrate
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6558

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.