Claims Viewer

Claims Viewer

JWT claims viewer online. View and understand all JWT claims with descriptions. Highlights standard claims (iss, sub, aud, exp) and flags missing recommended claims.

Standard JWT Claims (RFC 7519)

iss Issuer — Principal that issued the JWT
sub Subject — Principal that is the subject of the JWT
aud Audience — Recipients that the JWT is intended for
exp Expiration Time — Time after which the JWT expires
nbf Not Before — Time before which the JWT must not be accepted
iat Issued At — Time at which the JWT was issued
jti JWT ID — Unique identifier for the JWT

Features

  • Lists every claim in a token with a short description
  • Highlights the registered claims from RFC 7519 (iss, sub, aud, exp, and more)
  • Flags recommended claims that are missing
  • Separates standard claims from your own custom claims
  • Works offline in your browser with no token ever leaving the page

Common Use Cases

  • Understanding an unfamiliar token issued by a third-party provider
  • Auditing whether a token includes the audience and issuer you expect
  • Learning what each registered claim is for while building an auth flow
  • Spotting typos or missing fields in tokens your own service generates

Registered, public, and private claims

Claims are the key–value pairs inside a JWT payload. The spec (RFC 7519) defines a small set of registered claims with reserved meanings: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (token id).

Everything else falls into two buckets. Public claims use collision-resistant names (often a URI) so they can be shared safely between systems, while private claims are whatever custom fields you and your consumer agree on, like role or email.

Reading claims tells you what a token asserts, but it does not prove any of it is true — that guarantee comes only from verifying the signature.

Examples

Valid - Payload with common registered claims
{
  "iss": "https://auth.example.com",
  "sub": "user_123",
  "aud": "my-api",
  "exp": 1916239022,
  "iat": 1516239022
}
Valid - Custom (private) claims alongside standard ones
{
  "sub": "user_123",
  "role": "admin",
  "email": "jane@example.com"
}

Frequently Asked Questions

What is the difference between "sub" and a user id claim?
The "sub" (subject) claim is the registered, standard place to identify who the token is about. A custom field like "userId" works too, but "sub" is understood by libraries and other services out of the box.
Why should I check the "aud" claim?
The audience claim says which service the token is meant for. Verifying it prevents a token issued for one API from being accepted by another.
Are custom claims allowed?
Yes. Anything beyond the registered claims is a public or private claim. Keep names short to save space and avoid clashing with reserved claim names.