Authentication

JWT Payload JSON Example

A copy-ready JSON example of a JWT payload — shows standard claims (iss, sub, exp, iat) plus custom role and permissions fields. Essential reference for authentication API design.

{
  "iss": "https://auth.example.com",
  "sub": "usr_9k2mXpQr4t",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "nbf": 1746009600,
  "iat": 1746009600,
  "jti": "jwt_4Kp8mLnXqRz",
  "email": "ravi.mehta@example.com",
  "name": "Ravi Mehta",
  "role": "admin",
  "permissions": [
    "users:read",
    "users:write",
    "orders:read",
    "orders:write",
    "reports:read"
  ],
  "orgId": "org_SuratRetail01",
  "sessionId": "sess_9vWkTmHqLp",
  "mfa": true,
  "version": 2
}

Field Reference

issrequiredstringIssuer — the authorization server URL that signed the token
subrequiredstringSubject — the unique user ID this token represents
exprequiredinteger (Unix timestamp)Expiry time; tokens must be rejected after this epoch second
iatrequiredinteger (Unix timestamp)Issued-at time; used to calculate token age
jtioptionalstringJWT ID — unique token identifier used for revocation lists
roleoptionalstringApplication-defined role for coarse-grained access control
permissionsoptionalarray<string>Fine-grained permission scopes in action:resource format
mfaoptionalbooleanWhether the user completed multi-factor authentication

Variants

MinimalStandard claims only — the minimum required for a valid JWT payload.
{
  "iss": "https://auth.example.com",
  "sub": "usr_3hFwLmNz8q",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "iat": 1746009600,
  "jti": "jwt_7Rn2pQsTmW"
}
ExtendedFull payload with custom claims, tenant info, device fingerprint, and token type.
{
  "iss": "https://auth.example.com",
  "sub": "usr_9k2mXpQr4t",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "nbf": 1746009600,
  "iat": 1746009600,
  "jti": "jwt_4Kp8mLnXqRz",
  "tokenType": "access",
  "email": "ravi.mehta@example.com",
  "name": "Ravi Mehta",
  "role": "admin",
  "permissions": [
    "users:read",
    "users:write",
    "orders:read",
    "orders:write",
    "reports:read"
  ],
  "orgId": "org_SuratRetail01",
  "orgName": "Surat Retail Pvt Ltd",
  "sessionId": "sess_9vWkTmHqLp",
  "deviceId": "dev_Xt3qLmNp7Z",
  "mfa": true,
  "ipAddress": "103.21.244.0",
  "version": 2
}

Common Use Cases

  • Designing the access token payload for an OAuth 2.0 / OpenID Connect authorization server
  • Debugging authentication issues by decoding and inspecting a live JWT
  • Writing unit tests that verify role and permission claim extraction middleware
JWTtokenauthclaimsOAuthauthentication

Validate or format this JSON

One click loads this exact example into the tool — no copy-paste needed. Format it, validate it, explore the tree, or generate TypeScript types instantly.

Frequently Asked Questions

Standard JWTs (JWS) are only signed, not encrypted — the payload is Base64URL-encoded and readable by anyone. For confidential claims, use JWE (JSON Web Encryption) or keep sensitive data out of the token.

Access tokens typically expire in 15 minutes to 1 hour. Refresh tokens last 7–30 days. Short-lived access tokens limit the damage window if a token is stolen.

Including roles/permissions avoids a database lookup on every request, which improves latency. However, permission changes only take effect after the old token expires unless you implement a revocation mechanism.

Related JSON Examples