Understanding JWT Claims and Best Practices for Secure Token Authentication

What are JWT claims?

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims between two parties. Claims are statements about an entity (typically the user) and additional metadata. They form the payload of a JWT and contain the actual information being transmitted.

Understanding JWT claims is essential for implementing secure authentication and authorization in modern web applications. This guide covers everything from basic claim types to advanced security practices.

JWT structure overview

Before diving into claims, it helps to understand the JWT structure. A JWT consists of three parts separated by dots: header, payload, and signature.

• Header: Contains the token type (JWT) and signing algorithm (e.g., HS256, RS256)
• Payload: Contains the claims (the data you want to transmit)
• Signature: Verifies the token has not been tampered with
• Format: xxxxx.yyyyy.zzzzz (Base64URL encoded)

Registered claims (RFC 7519)

Registered claims are predefined claims recommended by the JWT specification. They are not mandatory but provide a standardized set of useful, interoperable claims.

• iss (issuer): Identifies who issued the JWT (e.g., "https://auth.example.com")
• sub (subject): Identifies the principal subject of the JWT (e.g., user ID)
• aud (audience): Identifies the recipients the JWT is intended for
• exp (expiration time): Unix timestamp after which the JWT must not be accepted
• nbf (not before): Unix timestamp before which the JWT must not be accepted
• iat (issued at): Unix timestamp when the JWT was issued
• jti (JWT ID): Unique identifier for the JWT to prevent replay attacks

Public claims

Public claims are custom claims that can be defined by anyone using JWTs. To avoid collisions, they should be defined in the IANA JSON Web Token Registry or use collision-resistant names like URIs.

• email: User email address (commonly used but not registered)
• name: User display name
• picture: URL to user profile picture
• https://example.com/is_admin: Namespace-prefixed custom claim
• Use IANA registry names when available for interoperability

Private claims

Private claims are custom claims created for sharing information between parties that agree on their use. They are neither registered nor public claims.

• user_id: Application-specific user identifier
• role: User role or permission level
• organization_id: Multi-tenant application identifier
• permissions: Array of specific permissions
• Use clear, descriptive names that do not conflict with registered claims

Expiration and time-based claims

Time-based claims are critical for token security. They control when tokens become valid and when they expire.

• exp (expiration): Always set this claim. Short-lived tokens (15-60 minutes) are more secure
• iat (issued at): Useful for determining token age and detecting stale tokens
• nbf (not before): Prevents tokens from being used before a specific time
• All time claims use Unix timestamps (seconds since January 1, 1970 UTC)
• Account for clock skew between servers (typically 30-60 seconds tolerance)

Common JWT claim patterns

Here are typical claim configurations for different use cases.

• Access token: Short exp (15 min), includes sub, aud, scope/permissions
• Refresh token: Longer exp (7 days), minimal claims, jti for revocation
• ID token (OIDC): Includes user profile claims (name, email, picture)
• Service-to-service: Includes iss, aud, iat, exp for API authentication

Security best practices for claims

Proper claim handling is essential for JWT security. Follow these practices to protect your applications.

• Never store sensitive data in claims (passwords, credit cards, PII)
• Always validate exp, iat, and nbf claims on the server
• Verify the iss claim matches your expected issuer
• Check the aud claim to ensure the token is meant for your service
• Use jti for token revocation and replay attack prevention
• Keep payload size small since JWTs are sent with every request

Choosing the right signing algorithm

The algorithm you choose affects both security and architecture. Understanding the options helps you make the right choice.

• HS256 (HMAC): Symmetric key, simple but requires shared secret
• RS256 (RSA): Asymmetric keys, issuer has private key, verifiers use public key
• ES256 (ECDSA): Asymmetric, smaller keys than RSA with equivalent security
• Never use "none" algorithm in production
• RS256/ES256 are preferred for distributed systems where multiple services verify tokens

Token expiration strategies

Choosing the right expiration time involves balancing security and user experience.

• Short-lived access tokens (15-60 minutes): Limits exposure if token is compromised
• Longer refresh tokens (days/weeks): Enables seamless re-authentication
• Sliding expiration: Extends token life with activity
• Absolute expiration: Forces re-authentication after fixed time regardless of activity
• Consider your threat model when choosing expiration times

Token revocation strategies

JWTs are stateless by design, making revocation challenging. Here are common approaches.

• Short expiration times: Simplest approach, limits damage window
• Token blacklist: Store revoked jti values in a fast cache (Redis)
• Token versioning: Include a version claim, increment on logout/password change
• Reference tokens: Store tokens server-side, return opaque reference to client
• Refresh token rotation: Issue new refresh token with each use, revoke old ones

Validating JWT claims in code

Always validate claims server-side. Never trust claims without verification.

• Verify signature first, then validate claims
• Check exp is in the future (with clock skew tolerance)
• Check nbf is in the past (if present)
• Validate iss matches expected issuer exactly
• Validate aud includes your service identifier
• Check required custom claims exist and have valid values

Common JWT security mistakes

Avoid these frequently seen JWT implementation errors.

• Storing tokens in localStorage (vulnerable to XSS)
• Not validating the signature before reading claims
• Using weak or predictable signing secrets
• Accepting the alg header without validation
• Setting expiration too far in the future
• Including sensitive data in the payload
• Not implementing token revocation for logout

JWT storage recommendations

Where you store JWTs affects security. Choose based on your application type.

• HttpOnly cookies: Best for web apps, immune to XSS attacks
• Memory only: Most secure for SPAs, lost on page refresh
• Secure cookie + CSRF token: Balance of security and convenience
• Never use localStorage for sensitive tokens
• Mobile apps: Use secure storage APIs (Keychain, Keystore)

Debugging JWT issues

When JWTs fail validation, systematic debugging helps identify the problem.

• Decode the token to inspect claims (use our JWT Decoder tool)
• Check if exp timestamp has passed
• Verify the signing algorithm matches server expectations
• Ensure clock times are synchronized between servers
• Confirm the secret/public key matches between issuer and verifier
• Look for malformed Base64URL encoding