Reference

JWT Registered Claims

The meaning and usage of the standard claims defined in RFC 7519.

iss
Identifies the party that issued the token, usually the name or URL of the auth server. On verification, check it matches the expected issuer.
sub
Identifies the subject the token is about (typically the user). It must be unique within the issuer's scope.
aud
Indicates the intended recipients of the token. A verifier must confirm it is included in this audience.
exp
The token must not be accepted after this time. Expressed as a Unix time in seconds since 1970-01-01.
nbf
The token is not valid before this time (Not Before). Paired with exp it forms a validity window.
iat
The time the token was issued. Useful for computing token age or reissue policies.
jti
A unique identifier for the token. Used to mark tokens as spent to prevent reuse or replay attacks.
scope
In OAuth 2.0, holds the space-separated permissions granted to the token. Not formally registered, but widely used.
Try decoding a token yourselfJust paste and the header, payload and claims unfold instantly.
Open the decoder