Guide · Jul 7, 2026

What's Actually Inside a JWT: Understanding Common Claims

Decode any JWT and you'll get a JSON object full of short, cryptic field names — iss, aud, sub, and whatever custom fields the issuer added. They're standardized enough that once you know what a handful of them mean, most tokens you'll ever encounter become readable at a glance.

The registered claims (part of the JWT spec)

These have fixed meanings defined by the JWT standard itself — any library or service that produces JWTs is expected to use them the same way:

Common custom claims (not part of the spec, but everywhere in practice)

Beyond the registered claims, issuers add whatever additional fields their application needs. These aren't standardized, but a few show up often enough to be worth recognizing:

Reading a real payload, claim by claim

A typical access token payload might look like this:

{
  "iss": "https://auth.example.com",
  "sub": "user_8f2a91",
  "aud": "api.example.com",
  "iat": 1735689600,
  "exp": 1735693200,
  "roles": ["editor"],
  "org_id": "org_4471"
}

Read left to right, this says: a token issued by auth.example.com, identifying user user_8f2a91, meant only for api.example.com to accept, created at a specific moment and valid for one hour after that (exp minus iat), granting "editor" permissions within organization org_4471. Every field here is answerable on its own — the skill in reading a JWT quickly is just recognizing each abbreviation without having to look it up every time, which is really all this reference is for.

What you can and can't trust from a decoded token

Every claim listed here is only meaningful if the token's signature has actually been verified against the issuer's real signing key. Decoding shows you what a token claims; it says nothing about whether those claims are genuine. A token with a roles: ["admin"] claim and an invalid or unchecked signature proves nothing — anyone can construct a JSON payload that says whatever they want. This is why signature verification, done server-side with the actual key, is the step that makes any of these claims trustworthy.

Try it

FreeToolDev's JWT Decoder decodes multiple tokens at once and lays out every claim clearly, with human-readable timestamps for exp/iat/nbf — entirely client-side, so nothing you paste in is sent anywhere.