JWT Claims Reference
Searchable reference for JWT registered, public, and private claims with descriptions, types, and example values.
29 claims
issIssuerRegisteredstringIdentifies the principal that issued the JWT. Typically a URL or domain name of the auth server.
"iss": "https://auth.example.com"subSubjectRegisteredstringIdentifies the principal that is the subject of the JWT. Usually a user ID or unique identifier.
"sub": "user_01HXYZ123"audAudienceRegisteredstring | string[]Identifies the recipients the JWT is intended for. The server must verify it is in the audience list.
"aud": ["https://api.example.com", "https://app.example.com"]expExpiration TimeRegisterednumber (Unix timestamp)The time after which the JWT must not be accepted. Always validate this to prevent token reuse after expiry.
"exp": 1735689600nbfNot BeforeRegisterednumber (Unix timestamp)The time before which the JWT must not be accepted. Useful for tokens that should only be valid in the future.
"nbf": 1735603200iatIssued AtRegisterednumber (Unix timestamp)The time at which the JWT was issued. Can be used to determine the age of the token.
"iat": 1735603200jtiJWT IDRegisteredstringUnique identifier for the JWT. Used to prevent the token from being replayed. Store used JTIs to detect reuse.
"jti": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"nameFull NamePublicstringEnd-user's full name in displayable form. From OpenID Connect standard claims.
"name": "Jane Doe"given_nameGiven NamePublicstringEnd-user's given name (first name).
"given_name": "Jane"family_nameFamily NamePublicstringEnd-user's family name (last name).
"family_name": "Doe"emailEmailPublicstringEnd-user's preferred email address. May not be unique across providers.
"email": "jane@example.com"email_verifiedEmail VerifiedPublicbooleanTrue if the email address has been verified by the provider.
"email_verified": truephone_numberPhone NumberPublicstringEnd-user's preferred phone number in E.164 format.
"phone_number": "+14155552671"pictureProfile Picture URLPublicstring (URL)URL of the end-user's profile picture.
"picture": "https://example.com/avatar/jane.jpg"localeLocalePublicstring (BCP47)End-user's locale, represented as a BCP47 language tag.
"locale": "en-US"zoneinfoTime ZonePublicstring (IANA tz)End-user's time zone from the IANA Time Zone Database.
"zoneinfo": "America/New_York"updated_atUpdated AtPublicnumber (Unix timestamp)Time the end-user information was last updated.
"updated_at": 1735000000nonceNoncePublicstringString value used to associate a client session with an ID token and mitigate replay attacks. Used in OIDC.
"nonce": "n-0S6_WzA2Mj"at_hashAccess Token HashPublicstringHash of the access token. Used in OpenID Connect to bind the ID token to an access token.
"at_hash": "77QmUPtjPfzWtF2AnpK9RQ"c_hashCode HashPublicstringHash of the authorization code. Used in OpenID Connect hybrid flow.
"c_hash": "LDktKdoQak3Pk0cnXxCltA"acrAuthentication Context Class ReferencePublicstringIdentifies the Authentication Context Class that the authentication performed satisfied.
"acr": "urn:mace:incommon:iap:silver"amrAuthentication Methods ReferencesPublicstring[]Identifies the authentication methods used. E.g., pwd (password), otp, mfa.
"amr": ["pwd", "otp"]azpAuthorized PartyPublicstringThe party to which the ID token was issued. Present when the audience is a single value different from the authorized party.
"azp": "client_app_id"sidSession IDPublicstringSession identifier. Used in OIDC logout to identify the session to terminate.
"sid": "08a5019c-17e1-4977-8f42-65a12843ea02"roleRolePrivatestring | string[]Application-defined role(s) for authorization. Not standardized — define your own values.
"role": ["admin", "editor"]permissionsPermissionsPrivatestring[]Fine-grained permission scopes granted to the token holder.
"permissions": ["read:users", "write:posts"]scopeScopePrivatestring (space-separated)OAuth 2.0 scopes granted to the access token. Space-separated list of scope values.
"scope": "openid profile email read:api"tenant_idTenant IDPrivatestringMulti-tenant application identifier. Scopes the token to a specific tenant or organization.
"tenant_id": "org_acme_corp"org_idOrganization IDPrivatestringOrganization identifier used in B2B SaaS applications.
"org_id": "org_01HXYZ456"What Is JWT Claims Reference?
A searchable reference for all standard JWT (JSON Web Token) claims defined in RFC 7519, OpenID Connect, and common application patterns. Each entry includes the claim name, full name, type, description, and a concrete example — so you can quickly find and use the right claim in your tokens.
How to Use
- Search by claim name or description keyword
- Filter by category: Registered, Public, or Private
- Click the copy button to copy the example JSON snippet
Features
- 29 JWT claims across 3 categories
- Registered claims from RFC 7519
- Public claims from OpenID Connect standard
- Common private/custom claims used in practice
- One-click copy for each example value
FAQ
What is the difference between registered, public, and private claims?
Registered claims (RFC 7519) are standardized short names like iss, sub, exp. Public claims are IANA-registered names from OpenID Connect. Private claims are custom application-specific claims agreed upon between parties — use collision-resistant names (e.g., namespaced URIs) to avoid conflicts.
Which claims should I always validate?
Always validate: exp (not expired), iss (expected issuer), aud (your app is in the audience), and nbf (token is active). For OIDC ID tokens, also validate nonce to prevent replay attacks.
Should I put sensitive data in JWT claims?
No. JWT payloads are base64-encoded, not encrypted — anyone with the token can read the claims. Never include passwords, secrets, or PII beyond what is necessary. Use JWE (JSON Web Encryption) if you need to encrypt the payload.
What is the jti claim used for?
The jti (JWT ID) is a unique identifier for the token. By storing used JTIs in a blocklist, you can implement one-time-use tokens or revoke specific tokens before they expire — useful for logout and refresh token rotation.