Claims JWT Referencia

Referencia completa de claims JWT registrados, claims OpenID Connect, claims personalizados, reglas de validación y mejores prácticas de seguridad.

Claims Registrados (RFC 7519)

Claim	Nombre completo	Descripción	Ejemplo	Estado
`iss` string (URI/StringOrURI)	Issuer	Identifies the principal that issued the JWT. Typically the auth server URL.	`"iss": "https://auth.example.com"`	Optional
`sub` string (StringOrURI)	Subject	Identifies the principal that is the subject of the JWT — usually the user ID.	`"sub": "user_123"`	Optional
`aud` string \| string[]	Audience	Identifies the recipients that the JWT is intended for. The API must check this.	`"aud": "https://api.example.com"`	Optional
`exp` NumericDate (Unix timestamp)	Expiration Time	The time after which the JWT MUST NOT be accepted. Critical for security.	`"exp": 1735689600`	Recommended
`nbf` NumericDate (Unix timestamp)	Not Before	The time before which the JWT MUST NOT be accepted. Useful for deferred activation.	`"nbf": 1735603200`	Optional
`iat` NumericDate (Unix timestamp)	Issued At	The time at which the JWT was issued. Used to determine the age of the token.	`"iat": 1735603200`	Optional
`jti` string (unique identifier)	JWT ID	Unique identifier for the JWT. Prevents token replay attacks when combined with a blocklist.	`"jti": "a1b2c3d4-e5f6-7890"`	Optional

Declaraciones de OpenID Connect

Claim	Nombre completo	Descripción	Ejemplo	Estado
`name` string	Full Name	End-user's full name in displayable form.	`"name": "Jane Doe"`	Optional
`given_name` string	Given Name	Given name(s) or first name of the end-user.	`"given_name": "Jane"`	Optional
`family_name` string	Family Name	Surname(s) or last name of the end-user.	`"family_name": "Doe"`	Optional
`email` string	Email Address	End-user's preferred email address.	`"email": "[email protected]"`	Optional
`email_verified` boolean	Email Verified	True if the end-user's email has been verified by the Provider.	`"email_verified": true`	Optional
`picture` string (URL)	Profile Picture URL	URL of the end-user's profile picture.	`"picture": "https://cdn.example.com/user/avatar.jpg"`	Optional
`locale` string (BCP 47)	Locale	End-user's locale as a BCP 47 language tag.	`"locale": "en-US"`	Optional
`zoneinfo` string (IANA tz)	Time Zone	End-user's time zone from the IANA Time Zone Database.	`"zoneinfo": "America/New_York"`	Optional
`updated_at` NumericDate	Profile Updated At	Time the end-user's information was last updated.	`"updated_at": 1700000000`	Optional
`nonce` string	Nonce	String value used to associate a Client session with an ID Token and to mitigate replay attacks.	`"nonce": "n-0S6_WzA2Mj"`	Optional
`at_hash` string (base64url)	Access Token Hash	Hash of the Access Token value. Used to validate the access_token.	`"at_hash": "77QmUPtjPfzWtF2AnpK9RQ"`	Optional
`auth_time` NumericDate	Authentication Time	Time when the end-user was authenticated.	`"auth_time": 1700000000`	Optional

Claims de Seguridad

Claim	Nombre completo	Descripción	Ejemplo	Estado
`scope` string (space-separated)	Scope	OAuth 2.0 scopes granted to the token. Defines what resources the token can access.	`"scope": "read:users write:profile"`	Optional
`roles` string[]	Roles	Non-standard but widely used. Application roles assigned to the user.	`"roles": ["admin", "editor"]`	Optional
`permissions` string[]	Permissions	Fine-grained permissions. Used by Auth0, AWS Cognito, and others.	`"permissions": ["delete:posts", "read:analytics"]`	Optional
`azp` string (client_id)	Authorized Party	The client_id of the OAuth 2.0 Client that requested the token. Used with OIDC.	`"azp": "my-spa-client-id"`	Optional
`acr` string	Authentication Context Class Reference	Level of authentication that occurred. Values defined by the deployment.	`"acr": "urn:mace:incommon:iap:silver"`	Optional
`amr` string[]	Authentication Methods References	How the user was authenticated (password, OTP, biometric, etc.).	`"amr": ["pwd", "otp"]`	Optional

Guía de Claims Personalizados

Claim	Nombre completo	Descripción	Ejemplo	Estado
`tenant_id` string	Tenant ID (custom)	Multi-tenant app custom claim. Identifies the tenant/organization.	`"tenant_id": "acme-corp"`	Optional
`org_id` string	Organization ID (custom)	Organization identifier used by Auth0, WorkOS, and similar platforms.	`"org_id": "org_12345"`	Optional
`plan` string	Subscription Plan (custom)	User's subscription tier. Common in SaaS billing-based access control.	`"plan": "enterprise"`	Optional

Reglas de Validación

Claim	Nombre completo	Descripción	Ejemplo	Estado
`Verify exp` Rule	Expiration Check	Reject any token where exp < current time (in UTC seconds). Add small clock skew (30–60s).	`if (payload.exp < Date.now() / 1000) throw Error('Expired')`	Required
`Verify iss` Rule	Issuer Check	Must exactly match the expected issuer URL. Reject mismatches.	`if (payload.iss !== "https://auth.example.com") throw Error()`	Required
`Verify aud` Rule	Audience Check	Must contain your API's identifier. Reject tokens issued for other audiences.	`if (!payload.aud.includes("api.example.com")) throw Error()`	Required
`Verify signature` Rule	Signature Verification	NEVER trust a JWT without verifying its cryptographic signature using the correct key/JWKS.	`Use jsonwebtoken.verify() or jose library`	Required
`Check nbf` Rule	Not Before Check	If nbf is present, reject tokens used before this time.	`if (payload.nbf && payload.nbf > Date.now() / 1000) throw Error()`	Recommended
`Check alg` Rule	Algorithm Check	Explicitly specify expected algorithm. Reject 'none' algorithm. Prefer RS256 or ES256 over HS256 for public APIs.	`{ algorithms: ['RS256'] } in verify options`	Required

Algoritmos de Firma

Claim	Nombre completo	Descripción	Ejemplo	Estado
`HS256` Symmetric (shared secret)	HMAC-SHA256	Fast; uses a single shared secret for sign & verify. Only suitable when both parties are trusted (e.g., server-to-server).	`"alg": "HS256"`	Optional
`HS512` Symmetric (shared secret)	HMAC-SHA512	Like HS256 but with 512-bit hash output. Marginally stronger for symmetric use cases.	`"alg": "HS512"`	Optional
`RS256` Asymmetric (RSA 2048+)	RSA-PKCS1v15-SHA256	Most widely supported asymmetric algorithm. Sign with private key, verify with public key. Use this for public APIs and OIDC.	`"alg": "RS256"`	Recommended
`RS512` Asymmetric (RSA 2048+)	RSA-PKCS1v15-SHA512	RS256 with SHA-512. Stronger hash but same RSA security level. Marginally slower.	`"alg": "RS512"`	Optional
`ES256` Asymmetric (EC P-256)	ECDSA with P-256 + SHA-256	Compact, fast asymmetric algorithm. Smaller keys than RSA for equivalent security. Recommended for new systems.	`"alg": "ES256"`	Recommended
`PS256` Asymmetric (RSA + PSS)	RSASSA-PSS with SHA-256	More secure padding than RS256 (probabilistic). Required by FAPI (Financial-grade API) and advanced OIDC profiles.	`"alg": "PS256"`	Optional
`EdDSA` Asymmetric (Edwards-curve)	Ed25519 / Ed448	Modern elliptic curve algorithm. Fastest, smallest signatures. Use with jose library. Not universally supported yet.	`"alg": "EdDSA"`	Optional

Anatomy of a JWT

A JWT consists of three Base64URL-encoded parts separated by dots: Encabezado.Carga útil.Signature

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyXzEyMyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tIiwiZXhwIjoxNzM1Njg5NjAwLCJpYXQiOjE3MzU2MDMyMDAsInNjb3BlIjoicmVhZDp1c2VycyJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

{"alg":"RS256","typ":"JWT"}

Algorithm and token type

Payload

{"iss":"https://auth.example.com","sub":"user_123","exp":1735689600,...}

Claims - the data

Signature

RSASHA256(base64url(header) + '.' + base64url(payload), privateKey)

Cryptographic verification

JWT Security Checklist

críticoNever use algorithm 'none' - always specify expected algorithm explicitly

críticoVerify the signature using the correct public key or JWKS endpoint

criticalAlways validate exp - reject expired tokens, allow 30-60s clock skew

criticalValidate iss matches your expected issuer URL exactly

criticalValidate aud contains your API's audience identifier

highPrefer RS256 or ES256 over HS256 for public APIs (asymmetric keys)

highStore JWTs in httpOnly cookies, not localStorage (XSS protection)

highKeep exp short (15-60 min) and use refresh tokens for longer sessions

mediumNever put sensitive data in JWT payload - it's Base64 encoded, not encrypted

mediumUse jti + server-side blocklist for token revocation if needed

Related Tools

Use the Codificador/Decodificador JWT to interactively build, sign, and inspect JWT tokens.

Preguntas Frecuentes

¿Cuál es la diferencia entre exp, nbf e iat?

exp (expiration time) es cuando expira el token. nbf (not before) es cuando el token se vuelve válido. iat (issued at) registra cuándo fue emitido. Los tres usan formato NumericDate (segundos desde Unix epoch).

¿Cuánto tiempo deben ser válidos los tokens JWT?

Los tokens de acceso deben tener vida corta: 5-60 minutos para la mayoría de apps. Los tokens de refresco pueden ser más largos: días a semanas. Nunca almacenes datos sensibles en el payload JWT ya que es solo base64url-encoded, no cifrado.

¿Para qué se usa el claim sub?

sub (subject) identifica al principal (típicamente un ID de usuario) del que trata el JWT. Debe ser único dentro del contexto del emisor. Usa un identificador estable como UUID o ID numérico en lugar de nombre de usuario o email.

¿Debo poner roles de usuario en claims JWT?

Sí, para autorización sin estado. Incluye roles/permisos en claims personalizados. Sin embargo, mantén los tokens ligeros. Para permisos granulares, considera el patrón de token de referencia donde el JWT contiene un ID de sesión.