JSON Web Token is a standard format that can be signed and/or encrypted. When a token is signed it uses JSON Web Signature (JWS), when encrypted it uses JSON Web Encryption (JWE).
The JWT specification defines seven optional, registered claims and allows for public and private claims to be included in the token, the seven registered claims are:
| Claim | Description |
|---|---|
| iss | Issuer of the JWT |
| sub | Subject that the JWT is representing |
| aud | Audience for the JWT |
| exp | Time the JWT is set to expire |
| nbf | Time the JWT is valid from (not-before) |
| iat | Timestamp when the JWT was issued (issued-at) |
| jti | Unique identifier for the JWT (JWT ID) |
Public claims can be registered by specific use cases. As an example, the OpenID Connect 1.0 specification defines claims such as auth_time, acr and nonce). Private claims can be used by an organization to convey specific claims about the identity (for example first_name, last_name, department). As these claim names are not registered, care must be made to avoid name collisions.