Quiz Entry - updated: 2026.07.14
What claims should be verified when validating authorization tokens?
Verify the signature first, then check issuer (iss), audience (aud), subject (sub), validity window (iat/exp/jti), and roles — a valid signature alone is not enough.
| Claim | Field | Purpose |
|---|---|---|
| Signature | - | Verify token wasn't tampered with |
| Issuer | iss |
Token came from trusted authorization server |
| Audience | aud |
Token is intended for this application |
| Subject | sub |
User identity |
| Validity | iat, exp, jti |
Token is not expired, issued time is valid |
| Roles | roles |
User's permissions/roles |
Example JWT payload:
{
"iss": "https://sso.mydomain.com",
"aud": "https://targethost.com",
"sub": "123456789",
"name": "John Doe",
"exp": 1589470236,
"roles": ["admin", "superuser"]
}
Always verify: Signature FIRST, then all claims!