What is the Sub Claim of a JSON Web Token?
Published: April 02, 2021 • Updated: December 31, 2022 • 2 min read
- jwt
Today I’d like to explain the sub, or subject, registered claim of a JSON Web
Token.
Registered claims are predefined fields of the JWT that are not mandatory but recommended. Like all JWT claims, they must be unique.
sub is the subject of the JWT– the user who requested the token, typically
an email address. By using it, we can send and receive a small, unique piece of
data about a user along with each request, without any additional requests.
This means that after a user authenticates and we grant a token, we can use that same token to figure out who the user is, plus show them a little free piece of information (account email) with any request. That’s a lot of functionality for one string!
sub is defined in the spec
as a StringOrURI. If you need more data than one string or URI can provide,
you’re going to have to provide another claim on the JWT, or more
probably, make a network request.
What are your thoughts on this? Let me know!
Join 100+ engineers who subscribe for advice, commentary, and technical deep-dives into the world of software.