JWT Claims Reference Table
A complete lookup for standard RFC 7519 registered claims and common extensions.
| Claim | Full Name | Data Type | Description | Example |
|---|---|---|---|---|
| iss | Issuer | String / URI | Identifies the principal that issued the JWT. Useful to verify the token came from the expected authorization server. | "https://auth.example.com" |
| sub | Subject | String / URI | Identifies the principal that is the subject of the JWT. Usually the user ID in an application. | "user_12345" |
| aud | Audience | String / Array | Identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. | "https://api.example.com" |
| exp | Expiration Time | NumericDate | Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. | 1516239022 |
| nbf | Not Before | NumericDate | Identifies the time before which the JWT MUST NOT be accepted for processing. | 1516239000 |
| iat | Issued At | NumericDate | Identifies the time at which the JWT was issued. Can be used to determine the age of the JWT. | 1516239022 |
| jti | JWT ID | String | Provides a unique identifier for the JWT. Useful to prevent replay attacks. | "jti-83a1b" |
| name | Full Name | String | End-User's full name in displayable form including all name parts. | "John Doe" |
| Email Address | String | End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax. | "john@example.com" | |
| roles | Roles / Groups | Array of Strings | Common custom claim used to define user roles or permissions for RBAC (Role-Based Access Control). | ["admin", "user"] |