What is jwt claims
Last updated: April 1, 2026
Key Facts
- Claims are base64url encoded in the JWT payload but not encrypted, making them readable without decryption
- There are three claim types: registered claims (standard IANA claims), public claims (custom claims with collision resistance), and private claims (custom claims between parties)
- Common registered claims include iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before)
- Claims are verified through the JWT's cryptographic signature to ensure they haven't been tampered with or modified
- Custom claims can be added to JWTs to include application-specific user data like roles, permissions, or user IDs
Overview
JWT claims are the core data component of JSON Web Tokens, containing the actual information being transmitted. Unlike headers or signatures, claims make up the payload—the second part of the JWT structure. These claims are key-value pairs that encode user information, permissions, metadata, and other relevant data that the token issuer wants to communicate to the token recipient.
Types of Claims
The JWT specification defines three categories of claims. Registered claims are standard claim names defined by the IANA JSON Web Token Claims registry, including iss (issuer), sub (subject), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Public claims are custom claims that follow a collision-resistant naming convention, typically using namespaced identifiers. Private claims are custom claims agreed upon between the issuer and recipient, used for application-specific data.
Common Registered Claims
- iss (Issuer): Identifies the principal that issued the JWT
- sub (Subject): Identifies the principal that is the subject of the JWT (usually the user ID)
- aud (Audience): Identifies the recipients that the JWT is intended for
- exp (Expiration Time): The time after which the JWT must not be accepted for processing
- iat (Issued At): The time at which the JWT was issued
Custom Claims
Beyond registered claims, applications frequently add custom claims to include application-specific user data. These might include user roles, permissions, email addresses, user preferences, or any other relevant information. Custom claims should be carefully designed to avoid conflicts with future standards and to minimize token size, as larger tokens consume more bandwidth and storage.
Security Considerations
While claims are encoded and may appear secure, they are not encrypted by default. The base64url encoding is for formatting, not security—anyone can decode the payload to read the claims. However, the JWT signature provides verification that the claims have not been tampered with. The signature ensures authenticity and integrity, allowing recipients to trust that the claims originated from a trusted issuer and haven't been modified in transit.
Related Questions
What is the difference between JWT claims and JWT headers?
JWT claims are the data payload containing user information and permissions, while JWT headers specify metadata about the token like the algorithm and type. Headers tell you how to process the token; claims contain what the token says about the user.
Can JWT claims be encrypted?
By default, JWT claims are only encoded (base64url) but not encrypted, making them readable to anyone. However, JSON Web Encryption (JWE) can be used to encrypt the entire token if confidentiality of claims is required.
How are custom claims validated in JWTs?
Custom claims are validated by the application logic after the JWT signature is verified. The server checks the signature first, then examines custom claims like roles or permissions to enforce application-specific authorization rules.
More What Is in Technology
- What Is Machine LearningMachine learning is a subset of artificial intelligence where computer systems learn and improve fro…
- What is au pairAn au pair is a young foreign national who lives with a family and provides childcare in exchange fo…
- What is aya universe dubaiAya Universe Dubai is an immersive digital art and technology experience venue in Dubai featuring AI…
- What is azelaic acidAzelaic acid is a naturally occurring dicarboxylic acid found in grains like barley and rye, commonl…
- What is bcc in emailBCC (Blind Carbon Copy) is an email feature that allows you to send messages to multiple recipients …
- What is bhai doojBhai Dooj is a Hindu festival celebrating the bond between brothers and sisters, typically observed …
- What is bjj trainingBJJ training refers to structured sessions where practitioners learn and practice Brazilian Jiu-Jits…
- What is bkk airportBKK is the IATA airport code for Suvarnabhumi Airport, the primary international airport serving Ban…
- What is bna airportBNA is the airport code for Nashville International Airport, located in Nashville, Tennessee. It's t…
- What is bnb chainBNB Chain is a blockchain network created by Binance that supports smart contracts and decentralized…
- What is bvs in easypaisaBVS in Easypaisa typically refers to a Business Verification Service that authenticates and verifies…
- What is cc in emailCC in email stands for carbon copy, a feature that sends a copy of your message to additional recipi…
- What is cloud computingCloud computing is the delivery of computing resources including servers, storage, databases, and so…
- What is cloudflareCloudflare is a cloud infrastructure and web performance company that provides content delivery, sec…
- What is cqb trainingCQB training, or Close Quarters Battle training, is specialized military and law enforcement instruc…
- What is craigslistCraigslist is a free online classified advertisements website where users can buy, sell, trade, or r…
- What is cursor aiCursor is an AI-powered code editor built on top of VS Code that integrates advanced language models…
- What is cx softwareCX software (Customer Experience software) refers to technology platforms that help businesses manag…
- What is cyberbullyingCyberbullying is the use of digital platforms and devices to harass, threaten, embarrass, or humilia…
- What is cyber securityCybersecurity encompasses technologies, policies, and practices designed to protect computers, netwo…
Also in Technology
- How Does GPS Work
- Difference Between HTTP and HTTPS
- How To Learn Programming
- difference between ai and ml
- Is it safe to download from internet archive
- How Does WiFi Work
- Does the ‘click’ ever happen when learning programming
- How to code any project before AI
- How does ai work
- How does ai use water
- When was ai invented
- How to make my website secure
- How do I deal with wasting my degree
- How does claude code work
- How does file metadata work? .mp3
More "What Is" Questions
Trending on WhatAnswer
Browse by Topic
Browse by Question Type
Sources
- RFC 7519 - JSON Web Token (JWT) Public Domain
- Wikipedia - JSON Web Token CC-BY-SA-4.0