LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What claims should be verified when validating authorization tokens?

Verify the signature first, then check issuer (iss), audience (aud), subject (sub), validity window (iat/exp/jti), and roles — a valid signature alone is not enough.

Claim Field Purpose
Signature - Verify token wasn't tampered with
Issuer iss Token came from trusted authorization server
Audience aud Token is intended for this application
Subject sub User identity
Validity iat, exp, jti Token is not expired, issued time is valid
Roles roles User's permissions/roles

Example JWT payload:

{
  "iss": "https://sso.mydomain.com",
  "aud": "https://targethost.com",
  "sub": "123456789",
  "name": "John Doe",
  "exp": 1589470236,
  "roles": ["admin", "superuser"]
}

Always verify: Signature FIRST, then all claims!

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026