jwt Getting started with jwt What to store in a JWT

Example

The JWT RFC stablish three classes of claims:

• Registered claims like sub, iss, exp or nbf

• Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list

• Private claims to use in your own context and values can collision

None of these claims are mandatory

A JWT is self-contained and should avoid use the server session providing the necessary data to perform the authentication (no need of server storage and database access). Therefore, role or permissions info can be included in private claims of JWT.

Registered Claims

The following Claim Names are registered in the IANA "JSON Web Token Claims" registry established by Section 10.1.

• iss (issuer): identifies the principal that issued the JWT.
• sub (subject): identifies the principal that is the subject of the JWT. Must be unique
• aud (audience): identifies the recipients that the JWT is intended for (array of strings/uri)
• exp (expiration time): identifies the expiration time (UTC Unix) after which you must no longer accept this token. It should be after the issued-at time.
• nbf(not before): identifies the UTC Unix time before which the JWT must not be accepted
• iat (issued at): identifies the UTC Unix time at which the JWT was issued
• jti (JWT ID): provides a unique identifier for the JWT.

Example

{
    "iss": "stackoverflow",
    "sub": "joe",
    "aud": ["all"],
    "iat": 1300819370,
    "exp": 1300819380,
    "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301"
    "context": {
        "user": {
            "key": "joe",
            "displayName": "Joe Smith"
        },
        "roles":["admin","finaluser"]
    }
}