Claim

A claim is a name/value pair in a JWT payload that asserts something about the token’s subject. Claims are JSON properties; the payload is a JSON object of them. Standard claims defined in RFC 7519 §4:

• iss — Issuer: who created the token.
• sub — Subject: who the token is about (typically a user ID).
• aud — Audience: who the token is intended for. Can be a string or array.
• exp — Expiry: Unix seconds after which the token must be rejected.
• iat — Issued At: Unix seconds when the token was created.
• nbf — Not Before: Unix seconds before which the token is invalid.
• jti — JWT ID: a unique identifier for revocation tracking.

Beyond the standard set, applications add their own claims: role, email, tenant_id, permissions, etc. RFC 7519 doesn’t restrict what custom claims look like, though IANA maintains a registry of well-known names to prevent collisions.

Three classes of claims worth distinguishing: registered (the seven above, IANA-managed), public (registered with IANA or namespaced under a URI to avoid clashes), and private (mutually-agreed between issuer and consumer; no namespacing).

Decode and inspect every claim in a JWT with our JWT decoder. It surfaces the standard claims separately and shows time-to-expiry against your machine’s current time.