iss: Issuer — who issued the token. | sub: Subject — who the token is about. | aud: Audience — intended recipients.

role: User role or permissions. | scope: Space-delimited permissions. | tenant_id: Multi-tenant identifier.

JWT Claims Reference

Registered claims, common custom claims, and validation tips for JSON Web Tokens.

Registered Claims

Key / Code	Description
iss	Issuer — who issued the token.
sub	Subject — who the token is about.
aud	Audience — intended recipients.
exp	Expiration time (Unix).
nbf	Not before time.
iat	Issued at time.
jti	JWT ID — unique token identifier.

Common Custom Claims

Key / Code	Description
role	User role or permissions.
scope	Space-delimited permissions.
tenant_id	Multi-tenant identifier.

Validation Checklist

Always validate signature, issuer, audience, and expiration. Reject tokens using none or unexpected algorithms.

When These Claims Matter

This page is most useful when integrating identity providers, debugging authorization failures, or auditing token contents during backend and frontend auth work. In practice, most JWT bugs come from mismatched issuer or audience values, clock skew around exp or nbf, or confusing ID token fields with API access token claims.

Common JWT Mistakes

A common mistake is decoding a JWT and assuming it is valid without verifying the signature and algorithm. Another is trusting custom claims before checking issuer and audience. Teams also frequently overload tokens with too much application state, which makes revocation and compatibility harder later.

JWT Decoder Tool

Decode and inspect tokens quickly before validating claim semantics.

OAuth 2.0 Flow Guide

See how JWT claims fit into broader token flows and identity exchanges.

HTTP Headers Reference

Useful when JWTs travel inside Authorization headers.

Knowledge is power.