JWT Payload

The JWT payload is the middle segment of a JSON Web Token, base64url-encoded JSON containing claims. Registered claims (sub, iss, aud, exp, nbf, iat, jti) are standardized in RFC 7519. Public and private custom claims extend the payload for application-specific data like roles or tenant IDs. The payload is not encrypted in a standard JWS — treat it as public information visible to anyone holding the token. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

Everything in the payload is readable by clients and intermediaries. Never store passwords, credit card numbers, or PII you would not show in a browser devtools panel. Design payloads with least privilege: include only claims needed for authorization decisions and keep them small for performance. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Code Example

JWT payload with claims
{
  "sub": "user_123",
  "name": "Ada Lovelace",
  "role": "admin",
  "exp": 1720454400
}

Related Terms

Related Tools

Related Articles

Frequently Asked Questions

Can I put passwords in the JWT payload?

Never. The payload is only encoded, not encrypted. Anyone with the token can decode and read every claim. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

What is the difference between registered and custom claims?

Registered claims like sub and exp are defined in RFC 7519. Custom claims are application-specific keys you define. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

How large can a JWT payload be?

There is no hard limit, but large payloads increase header size on every request. Keep claims minimal. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.