41

I am generting a jwt for an api token. I am putting the user id into that jwt so I know who is calling into the api. Where do I put the user id in the jwt.

I have seen many different examples that put it in 'sub', 'aud' and even 'iss'. Which is correct if any. Or does user id go in a non registered name?

lostintranslation
  • 23,756
  • 50
  • 159
  • 262

1 Answers1

39

The sub claim is the right claim for the user identifier. The aud claim identifies the intended recipient of the JWT and the iss identifies the issuer/creator. Any other interpretations of these claims are not standard compliant, see: https://www.rfc-editor.org/rfc/rfc7519#section-4.1

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • 2
    So there's no standard way for instance if I want a humanly readable ID *and* a more database friendly key that represents an id? Should I not even be storing an email as the `sub` claim and just use `internal id` whatever that may be. – Simon_Weaver Jan 28 '19 at 23:41
  • @Simon_Weaver you may want to look through the registered claims listed here: https://www.iana.org/assignments/jwt/jwt.xhtml – Tej Pochiraju Jul 09 '20 at 16:28