JWT claims (2024)

Table of Contents
Back up: what is a JSON web token? Structure of a JSON web token So, what is a JWT claim? Types of JWT claims Want auth without the headaches? Switch to Stytch. Registered claims Custom claims Manage user access with Stytch

In what is a JSON web token, we explored JSON web tokens (JWTs pronounced “jots”, for short) as a whole.

In this article we’ll dive into the meatiest part of a JSON web token: JWT claims.

Back up: what is a JSON web token?

A JSON web token is an open standard that securely relays information between clients and servers as a compact, self contained JSON object.

Simply put, it’s a form of secure communication between a client and server.

JSON web tokens’ overwhelming use case is user access management. By storing all user data client-side in the token – specifically as JWT claims – users remain both authenticated after their initial login and authorized to engage with the application according to their role and permissions.

Despite the broad range of claim values possible, all JSON web tokens take the same shape.

Structure of a JSON web token

JWTs include three components – a header, payload, and signature – that work together to store and protect user data.

Each string is Base64url encoded and separated with a dot, so all JWTs’ final form is header.payload.signature.

See Also
Online JWT DecoderImplementing Simple JWT Authentication in Django Rest Framework

JWT claims (1)

Read more about the role each JWT component plays in our article, what is a JSON web token?

So, what is a JWT claim?

Now that we know the function of a JWT (secure information transmission) and its core components (header, payload, signature), we’re ready to look at JWT claims.

JWT claims are the core information that JWTs transmit (kinda like the letter inside a sealed envelope).

The JWT claims included in the payload determine which information the JWT communicates (i.e., user identity, permissions, expiration of JWT, to name a few).

That said, developers can include however many claims they want in a given payload. They can also choose the type of claim that makes sense.

Types of JWT claims

JWT claims fall into three categories – registered, public, or private.

A quick formatting note: JWT claims are all three characters long no matter the type. This keeps the JWTs as compact as possible so servers can easily pass them back and forth.

JWT claims (2)

Want auth without the headaches? Switch to Stytch.

JWT claims (3)

Registered claims

Registered claims are pre-established and publicly documented. Below are the seven registered claims found in the official Internet Assigned Numbers Authority (IANA) and JWT databases:

  • Issuer Claim (“iss”): which application issued the JWT?
  • Subject Claim (“sub”): who is the user subject of the JWT?
  • Audience Claim (“aud”): which application is the JWT intended for?
  • Expiration Time Claim (“exp”): until what date/time can the JWT be accepted?
  • Not Before Claim (“nbf”): what date/time can the JWT start being accepted?
  • Issued At Claim (“iat”): when was the JWT issued?
  • JWT ID Claim (“jti”): which individual JWT is this?

Using a registered claim ensures your JWTs will operate smoothly across applications. This is because all libraries recognize these common, standardized claims.

Custom claims

Although it’s simplest to use registered claims, sometimes you’ll need to include user information outside the realm of those seven claims.

For example, if you want to store user metadata like email address or phone number, you’ll need to create your own custom claims.

There are two sub-categories of custom claims:

  1. Public claims: Developers define their own claims and register them with the IANA registry mentioned above.
  2. Private claims: Developers define their own claims but do not publish them. Instead, they make local agreements to ensure operability between private parties.

If you decide to register your custom claim, it’s critical that you name it something different than the registered claims. Collisions, in the case of JWTs, occur when a developer creates a custom claim with the same name as a registered term.

For example, if you’d like to associate a sandwich type with each user, you should not name your custom claim “sub.” Another application will read it as the registered “subject claim,” so your JWT won’t convey the user data that you want.

JWT claims (4)

Manage user access with Stytch

Stytch offers the tools to manage user access.

In addition to supporting registered claims and your own custom claims, our JSON web tokens include guardrails such as five minute expirations and automatic fallbacks to Stytch’s API once the local JSON web token expires.

You may have also seen sessions as an access management option. If you’re debating the two, you can learn more about the difference between JWTs vs. sessions on our blog.

JWT claims (2024)
Top Articles
VFSC Regulation Changes FAQ | Help Center - Blueberry Markets
USD To INR: Convert United States Dollar to Indian Rupee - Forbes Advisor
Creepshotorg
Nybe Business Id
Katie Pavlich Bikini Photos
Stretchmark Camouflage Highland Park
4-Hour Private ATV Riding Experience in Adirondacks 2024 on Cool Destinations
Le Blanc Los Cabos - Los Cabos – Le Blanc Spa Resort Adults-Only All Inclusive
Room Background For Zepeto
Professor Qwertyson
Es.cvs.com/Otchs/Devoted
Brgeneral Patient Portal
T&G Pallet Liquidation
Amateur Lesbian Spanking
Osrs Blessed Axe
Slag bij Plataeae tussen de Grieken en de Perzen
Things To Do In Atlanta Tomorrow Night
Craigslist Deming
Flower Mound Clavicle Trauma
Best Forensic Pathology Careers + Salary Outlook | HealthGrad
25Cc To Tbsp
Webcentral Cuny
24 Hour Drive Thru Car Wash Near Me
Nevermore: What Doesn't Kill
Jet Ski Rental Conneaut Lake Pa
11 Ways to Sell a Car on Craigslist - wikiHow
Helpers Needed At Once Bug Fables
Student Portal Stvt
Feathers
Calvin Coolidge: Life in Brief | Miller Center
What Is The Lineup For Nascar Race Today
Autotrader Bmw X5
Rust Belt Revival Auctions
Arcane Odyssey Stat Reset Potion
Waffle House Gift Card Cvs
Keeper Of The Lost Cities Series - Shannon Messenger
Build-A-Team: Putting together the best Cathedral basketball team
How to Draw a Sailboat: 7 Steps (with Pictures) - wikiHow
Dadeclerk
More News, Rumors and Opinions Tuesday PM 7-9-2024 — Dinar Recaps
If You're Getting Your Nails Done, You Absolutely Need to Tip—Here's How Much
The Attleboro Sun Chronicle Obituaries
The power of the NFL, its data, and the shift to CTV
Yale College Confidential 2027
Professors Helpers Abbreviation
15 Best Places to Visit in the Northeast During Summer
How to Connect Jabra Earbuds to an iPhone | Decortweaks
Race Deepwoken
Julies Freebies Instant Win
Craigs List Sarasota
Latest Posts
USD Coin Exchanges - Buy, Sell & Trade USDC | CoinCodex
Cryptomining detection best practices  |  Security Command Center  |  Google Cloud
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6558

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.