What Are JWT Claims? iss, sub, aud, exp, and More
The middle section of a JWT — the payload — is just a JSON object of claims. Each claim is a statement about the user or the token itself. Some names are standardized; the rest are up to you.
Registered claims
These short names are reserved by the JWT spec (RFC 7519). They're optional, but if you use them, they must mean what the spec says:
| Claim | Name | Meaning |
|---|---|---|
iss | Issuer | Who created the token |
sub | Subject | Who the token is about (usually a user ID) |
aud | Audience | Who the token is intended for |
exp | Expiration | Unix time after which the token is invalid |
nbf | Not Before | Unix time before which the token is invalid |
iat | Issued At | Unix time the token was created |
jti | JWT ID | Unique identifier, useful for revocation |
The time-based claims (exp, nbf, iat) are Unix timestamps in seconds, not milliseconds — a common source of bugs.
A typical payload
{
"iss": "https://auth.example.com",
"sub": "user_12345",
"aud": "https://api.example.com",
"exp": 1799999999,
"iat": 1799996399,
"role": "admin"
}
Here role is a private claim — a custom field you and your API agree on.
Public vs private claims
- Public claims are custom names you register or namespace with a URI to avoid collisions (e.g.
"https://example.com/role"). - Private claims are ad-hoc names shared only between parties that already trust each other.
Keep payloads small — every claim travels on every request.
Validating claims matters
Decoding a token shows the claims, but you must still verify them: check exp hasn't passed, aud matches your API, and iss is who you expect. A valid signature on a token meant for a different audience is still the wrong token. See how to verify a JWT signature.
Inspect a token's claims
Paste any token into the JWT decoder to see its decoded claims and expiry instantly — nothing is sent to a server. New to JWTs? Start with what is a JWT.
Got a config file to check?
Open the config toolkit →