Authentication

JWT Payload JSON Example

A copy-ready JSON example of a JWT payload — shows standard claims (iss, sub, exp, iat) plus custom role and permissions fields. Essential reference for authentication API design.

JSON

Open in Formatter

{
  "iss": "https://auth.example.com",
  "sub": "usr_9k2mXpQr4t",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "nbf": 1746009600,
  "iat": 1746009600,
  "jti": "jwt_4Kp8mLnXqRz",
  "email": "ravi.mehta@example.com",
  "name": "Ravi Mehta",
  "role": "admin",
  "permissions": [
    "users:read",
    "users:write",
    "orders:read",
    "orders:write",
    "reports:read"
  ],
  "orgId": "org_SuratRetail01",
  "sessionId": "sess_9vWkTmHqLp",
  "mfa": true,
  "version": 2
}

Field Reference

issstringrequiredIssuer — the authorization server URL that signed the token

substringrequiredSubject — the unique user ID this token represents

expinteger (Unix timestamp)requiredExpiry time; tokens must be rejected after this epoch second

iatinteger (Unix timestamp)requiredIssued-at time; used to calculate token age

jtistringoptionalJWT ID — unique token identifier used for revocation lists

rolestringoptionalApplication-defined role for coarse-grained access control

permissionsarray<string>optionalFine-grained permission scopes in action:resource format

mfabooleanoptionalWhether the user completed multi-factor authentication

Variants

MinimalStandard claims only — the minimum required for a valid JWT payload.

Minimal

Open in Formatter

{
  "iss": "https://auth.example.com",
  "sub": "usr_3hFwLmNz8q",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "iat": 1746009600,
  "jti": "jwt_7Rn2pQsTmW"
}

ExtendedFull payload with custom claims, tenant info, device fingerprint, and token type.

Extended

Open in Formatter

{
  "iss": "https://auth.example.com",
  "sub": "usr_9k2mXpQr4t",
  "aud": "https://api.example.com",
  "exp": 1746096000,
  "nbf": 1746009600,
  "iat": 1746009600,
  "jti": "jwt_4Kp8mLnXqRz",
  "tokenType": "access",
  "email": "ravi.mehta@example.com",
  "name": "Ravi Mehta",
  "role": "admin",
  "permissions": [
    "users:read",
    "users:write",
    "orders:read",
    "orders:write",
    "reports:read"
  ],
  "orgId": "org_SuratRetail01",
  "orgName": "Surat Retail Pvt Ltd",
  "sessionId": "sess_9vWkTmHqLp",
  "deviceId": "dev_Xt3qLmNp7Z",
  "mfa": true,
  "ipAddress": "103.21.244.0",
  "version": 2
}

Common Use Cases

→Designing the access token payload for an OAuth 2.0 / OpenID Connect authorization server
→Debugging authentication issues by decoding and inspecting a live JWT
→Writing unit tests that verify role and permission claim extraction middleware

JWTtokenauthclaimsOAuthauthentication

Validate or format this JSON

Paste the example above into JSONKit's tools to validate, minify, or explore the structure interactively.

Format →Validate →Minify →

Frequently Asked Questions

Standard JWTs (JWS) are only signed, not encrypted — the payload is Base64URL-encoded and readable by anyone. For confidential claims, use JWE (JSON Web Encryption) or keep sensitive data out of the token.

Access tokens typically expire in 15 minutes to 1 hour. Refresh tokens last 7–30 days. Short-lived access tokens limit the damage window if a token is stolen.

Including roles/permissions avoids a database lookup on every request, which improves latency. However, permission changes only take effect after the old token expires unless you implement a revocation mechanism.

Related JSON Examples

API DesignUser ProfileStandard user profile JSON with personal info, address, and account metadata.API DesignREST API ResponseGeneric REST API response wrapper with data payload, status, and pagination meta.API DesignError ResponseREST API error JSON with status code, machine-readable error code, and validation details.