AIAPIDate & TimeImageJSONMathNext.jsSecuritySEOTextDesignDatabase
All ToolsWorkspacesWorkflowsLearnError EncyclopediaAboutPrivacyTermsContactEmail

© 2026 Web Util Slyce. All tools run client-side — your data stays private.

How to Format a JWT Payload

JWT payload formatting follows RFC 7519 with registered claims like sub, exp, iat, iss, aud. Public and private claims follow naming conventions.

Try JWT Generator

Overview

The JWT payload is a JSON object containing claims about the subject and token metadata. Claims fall into three categories: registered, public, and private. The payload is base64-encoded not encrypted so never put sensitive data in it.

Prerequisites

  • A JWT library like jsonwebtoken or jose
  • Understanding of authentication concepts
  • A JWT generator or decoder tool

Step-by-Step Instructions

1

Include required registered claims

At minimum include sub for the user identifier and exp for expiration time. Also include iat for issued at and iss for issuer.

2

Add standardized public claims

Use IANA-registered claims like name, preferred_username, email, email_verified, picture, and locale for identity tokens.

3

Format custom claims with namespacing

Use reverse-domain naming for custom claims to avoid collision. For example https://api.example.com/role instead of just role.

4

Use the jti claim for token tracking

The jti claim provides a unique identifier for the token enabling token revocation, replay detection, and audit log correlation.

Common Mistakes to Avoid

  • Putting sensitive data in the payload — the payload is base64-encoded not encrypted
  • Using string values for exp and iat — these must be NumericDate integer seconds since epoch
  • Including aud as a string when there are multiple audiences — use an array
  • Using mutable user data in claims like email — use stable identifiers in sub

Related Tools

JWT Generator JWT Decoder JSON Formatter JSON Validator

Frequently Asked Questions

What is the maximum size of a JWT payload?

There is no hard limit but JWTs are sent in HTTP headers limited to 8KB on many servers. Keep payloads under 2KB.

Should I include the user password or secret in the payload?

Never. The payload is base64-encoded not encrypted. Anyone with the token can read the payload contents.