JWT Registered Claim Reference

All IANA-registered JWT claim names with descriptions.

Searchable reference of registered JWT claims from RFC 7519 and OpenID Connect — iss, sub, aud, exp, iat, jti and profile claims — each with type, meaning and an example value. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are the seven registered claims in RFC 7519?

iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at) and jti (JWT ID). They are all optional in the spec but most are required in practice for secure validation, especially exp, iss and aud.

Every registered JWT claim, with type and meaning

A JSON Web Token carries a set of claims in its payload. Some claim names are registered with IANA and have fixed meanings; using them consistently lets any compliant library validate a token. This reference lists the RFC 7519 standard claims plus the common OpenID Connect profile claims, each with its data type, a description and an example value.

How it works

A JWT payload is a JSON object of name/value pairs. Registered claims like iss, sub, aud, exp, nbf, iat and jti drive validation; OpenID Connect adds identity claims such as email and name to ID tokens. Time claims use NumericDate — seconds since the Unix epoch.

{
  "iss": "https://auth.example.com",
  "sub": "user-12345",
  "aud": "api.example.com",
  "exp": 1735689600,
  "iat": 1735603200,
  "scope": "openid profile email"
}

A verifier checks the signature, then asserts exp is in the future, nbf is in the past, and that iss and aud match what it expects.

Tips and notes

  • Always validate exp, nbf, iss and aud — a valid signature alone does not make a token safe to trust.
  • Keep tokens short-lived and use jti plus a deny-list if you need revocation.
  • The nonce claim ties an ID token to the authentication request and defends against replay in OpenID Connect.
  • Namespace any custom claims (for example with a URI prefix) so they never collide with future registered names.

The seven RFC 7519 registered claims in detail

RFC 7519 defines exactly seven claim names with reserved semantics. All are optional in the specification, but in practice most secure systems require several of them:

ClaimTypePurpose
issString (URI)Identifies the principal that issued the token
subStringIdentifies the subject — typically a user ID
audString or arrayNames the intended recipient(s)
expNumericDateToken expiration time; reject after this moment
nbfNumericDateToken not valid before this time
iatNumericDateTime at which the token was issued
jtiStringUnique identifier for the token; enables revocation

NumericDate is always an integer count of seconds since the Unix epoch (1970-01-01 00:00:00 UTC). A common mistake is using milliseconds (as JavaScript’s Date.now() returns) — this produces an exp in the year ~50000 and the token never expires in practice.

OpenID Connect additions

OpenID Connect layers identity claims on top of the RFC 7519 base for ID tokens delivered to client applications. Common ones include name, email, email_verified, picture, locale, zoneinfo, phone_number, address, updated_at, auth_time, nonce, acr, amr, and azp. These let a client learn who the user is without making an additional userinfo endpoint call.

Of these, email_verified deserves extra attention: the presence of an email claim alone does not prove the user controls that address. Only treat the email as verified when email_verified is true.

Claims for access tokens (RFC 9068)

Access tokens presented to resource servers often carry additional claims beyond the identity set: scope lists what the bearer is authorised to do, client_id names the OAuth client, roles or groups may carry authorisation data, and cnf can pin the token to a specific cryptographic key. These are not in RFC 7519 but are commonly included by identity providers following RFC 9068 (JSON Web Token Profile for Access Tokens).