What is jwt claims
Last updated: April 1, 2026
Key Facts
- Claims are base64url encoded in the JWT payload but not encrypted, making them readable without decryption
- There are three claim types: registered claims (standard IANA claims), public claims (custom claims with collision resistance), and private claims (custom claims between parties)
- Common registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before)
- Claims are verified through the JWT's cryptographic signature to ensure they haven't been tampered with or modified
- Custom claims can be added to JWTs to include application-specific user data like roles, permissions, or user IDs
Overview
JWT claims are the core data component of JSON Web Tokens, containing the actual information being transmitted. Unlike headers or signatures, claims make up the payload—the second part of the JWT structure. These claims are key-value pairs that encode user information, permissions, metadata, and other relevant data that the token issuer wants to communicate to the token recipient.
Types of Claims
The JWT specification defines three categories of claims. Registered claims are standard claim names defined by the IANA JSON Web Token Claims registry, including iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Public claims are custom claims that follow a collision-resistant naming convention, typically using namespaced identifiers. Private claims are custom claims agreed upon between the issuer and recipient, used for application-specific data.
Common Registered Claims
- iss (Issuer): Identifies the principal that issued the JWT
- sub (Subject): Identifies the principal that is the subject of the JWT (usually the user ID)
- aud (Audience): Identifies the recipients that the JWT is intended for
- exp (Expiration Time): The time after which the JWT must not be accepted for processing
- iat (Issued At): The time at which the JWT was issued
Custom Claims
Beyond registered claims, applications frequently add custom claims to include application-specific user data. These might include user roles, permissions, email addresses, user preferences, or any other relevant information. Custom claims should be carefully designed to avoid conflicts with future standards and to minimize token size, as larger tokens consume more bandwidth and storage.
Security Considerations
While claims are encoded and may appear secure, they are not encrypted by default. The base64url encoding is for formatting, not security—anyone can decode the payload to read the claims. However, the JWT signature provides verification that the claims have not been tampered with. The signature ensures authenticity and integrity, allowing recipients to trust that the claims originated from a trusted issuer and haven't been modified in transit.
Related Questions
What is the difference between JWT claims and JWT headers?
JWT claims are the data payload containing user information and permissions, while JWT headers specify metadata about the token like the algorithm and type. Headers tell you how to process the token; claims contain what the token says about the user.
Can JWT claims be encrypted?
By default, JWT claims are only encoded (base64url) but not encrypted, making them readable to anyone. However, JSON Web Encryption (JWE) can be used to encrypt the entire token if confidentiality of claims is required.
How are custom claims validated in JWTs?
Custom claims are validated by the application logic after the JWT signature is verified. The server checks the signature first, then examines custom claims like roles or permissions to enforce application-specific authorization rules.
More What Is in Technology
Also in Technology
More "What Is" Questions
Trending on WhatAnswers
Browse by Topic
Browse by Question Type
Sources
- RFC 7519 - JSON Web Token (JWT)Public Domain
- Wikipedia - JSON Web TokenCC-BY-SA-4.0