JWT Claims Guide — Standard & Custom Claims
JSON Web Tokens carry claims — statements about the user and metadata. Understanding which claims to include and how they're validated is essential for building secure authentication and authorization systems.
JWT Builder
Build and sign JSON Web Tokens with custom claims and your choice of HMAC, RSA, or ECDSA algorithms. All signing happens in your browser.
The secret is used to sign the token. Keep it safe — never share production secrets.
Standard Claims
Custom Claims
No custom claims. Click "Add Claim" to add key-value pairs.
Payload Preview
{
"iat": 1773924504,
"exp": 1773928104
}Algorithm Reference
HMAC (symmetric)
HS256 / HS384 / HS512
Shared secret key. Simple setup. Both signer and verifier need the same key.
RSA (asymmetric)
RS256 / RS384 / RS512
Public/private key pair. Private key signs, public key verifies. Most common in production.
ECDSA (asymmetric)
ES256 / ES384 / ES512
Elliptic curve keys. Smaller keys, same security as RSA. Faster verification.
Complement to JWT Decoder. Build tokens here, decode and inspect them there.
Registered claims
The JWT specification (RFC 7519) defines seven registered claims: "iss" (issuer) identifies who created the token, "sub" (subject) identifies who the token is about, "aud" (audience) specifies the intended recipient, "exp" (expiration time) sets when the token expires as a Unix timestamp, "nbf" (not before) sets the earliest time the token is valid, "iat" (issued at) records when the token was created, and "jti" (JWT ID) provides a unique identifier to prevent replay attacks. All are optional but strongly recommended for production tokens.
Public and private claims
Public claims are registered in the IANA JSON Web Token Claims registry to avoid collisions — examples include "email", "name", and "preferred_username" from OpenID Connect. Private claims are custom key-value pairs agreed upon between the issuer and consumer, such as "role", "permissions", or "tenant_id". Use namespaced keys (e.g., "https://example.com/role") for private claims shared across multiple services to avoid naming conflicts.
Best practices for claims
Keep payloads small — every claim increases token size and network overhead. Never store sensitive data (passwords, credit card numbers) in claims since JWTs are only encoded, not encrypted by default. Always set an expiration (exp) to limit the damage from token theft. Use the audience (aud) claim to prevent tokens issued for one service from being accepted by another. For refresh tokens, prefer opaque tokens stored server-side over long-lived JWTs.
Frequently Asked Questions
What is the difference between iat and nbf in JWT?
"iat" (issued at) records when the token was created. "nbf" (not before) specifies the earliest time the token should be accepted. A token might be issued at 10:00 (iat) but not valid until 10:05 (nbf), useful for scheduled access or clock skew tolerance.
Should I put user roles in JWT claims?
Yes, for authorization decisions that don't change frequently. Including roles like "admin" or "editor" in claims avoids a database lookup on every request. However, if roles change often, the stale JWT will still contain old roles until it expires. Use short expiration times or a token revocation list to mitigate this.
How large can a JWT payload be?
There is no specification limit, but practical limits apply. Most HTTP servers cap header size at 8 KB. Since JWTs are typically sent in the Authorization header, keep the total token under 4-6 KB. A typical auth token with 5-10 claims is around 300-500 bytes encoded.
Related Generate Tools
Privacy Policy Generator
Generate a customized privacy policy with GDPR, CCPA, cookies, analytics, and payment sections
JSON Mock Data Generator
Generate realistic fake JSON data for API testing with 30+ field types, preset templates, and schema builder
README Generator
Generate professional GitHub README.md files with badges, installation steps, usage examples, and more
robots.txt Generator
Generate robots.txt files with crawl rules for Googlebot, Bingbot, AI bots, and more — presets included