What are claims in a JWT?

Claims are the key/value pairs inside a JWT's payload — standardized fields like `sub`, `exp`, and provider-specific attributes.

April 17, 2026 · LoginWith team

Claims are the individual pieces of information inside a JWT’s payload. They’re JSON key/value pairs that describe the subject of the token.

Standard claims (RFC 7519)

sub — subject (who the token is about; stable user ID)
iss — issuer (who issued the token)
aud — audience (who the token is for)
exp — expiration time
iat — issued at
nbf — not before (token isn’t valid yet)
jti — JWT ID (unique identifier for the token)

OIDC claims

OIDC adds standardized identity claims:

email, email_verified
name, given_name, family_name
picture
locale
phone_number, phone_number_verified

Custom claims

Providers and applications can add their own claims. Namespacing is good practice to avoid collisions:

{
  "https://yourapp.com/tenant_id": "tenant_abc",
  "https://yourapp.com/role": "admin"
}

Validation

Always validate:

iss matches the expected issuer
aud includes your client ID
exp hasn’t passed
nbf (if present) has been reached

A library should handle all of these — don’t hand-roll.

See the full auth glossary for related terms.

Want auth that just works?

Get started with LoginWith