JWT, the JSON Web Tokens are a standarized (RFC 7519) way of passing the user’s identity between microservices. Internally, the JWT payload is just a JSON with pertially standarized fields. They are called claims. Some of the claims are defined in the RFC 7519 while some are free to use and abuse freely. The video below exmplains this topic.

In general, claims are divided into 3 categories:

  • registered - they are defined in the RFC and have to be used accordingly
  • public - not defined by the RFC, but their meaning and usage is defined in the Public registry of JWT claims
  • private - can be used freely, but might not be compatible with other implementations

The most important, registered claims are:

  • iss - the issuer claim, holds the information who issued the JWT
  • sub - the subject claim, holds the information to whom the JWT as issued
  • aud - the audience claim, holds the information for who token was issued
  • exp - the expiration time, holds the information when JWT should invalidate
  • nbf - the “not before policy”, identifies the time before whoch JWT can not be accepted into processing
  • iat - the issued at, identifies the exact time when the token was generated
  • jti - the JWT ID, an unique identifier of the token