Lesson 2

JWT Claims

Learn the difference between registered, public, and private JWT claims.

JWT claims are fields inside the payload. They describe the subject, issuer, audience, time boundaries, permissions, or application-specific facts.

Registered claims

Registered claims have standardized names:

  • iss: issuer, the party that issued the token
  • sub: subject, usually a user or service identifier
  • aud: audience, the intended recipient
  • exp: expiration time
  • nbf: not valid before
  • iat: issued at
  • jti: token identifier

These fields are optional in the JWT format, but many real systems require several of them.

Public and private claims

Public claims are names meant to be shared across systems. Private claims are agreed between your services, such as role, tenantId, scope, or permissions.

Time claims use Unix seconds

JWT time claims are normally NumericDate values: seconds since the Unix epoch. JavaScript often uses milliseconds, so a common bug is accidentally comparing a seconds claim with a millisecond timestamp.

When debugging, always check both the raw Unix value and a human-readable UTC or local time.

When you want to practice, use the related DevCove tool — optional, not part of this lesson.

Open related tool

Back to course overview