What is the Sub Claim of a JSON Web Token?

April 2, 2021

Today I’d like to explain the sub, or subject, registered claim of a JSON Web Token.

Registered claims are predefined fields of the JWT that are not mandatory but recommended. Like all JWT claims, they must be unique.

sub is the subject of the JWT– the user who requested the token, typically an email address. By using it, we can send and receive a small, unique piece of data about a user along with each request, without any additional requests.

This means that after a user authenticates and we grant a token, we can use that same token to figure out who the user is, plus show them a little free piece of information (account email) with any request. That’s a lot of functionality for one string!

sub is defined in the spec as a StringOrURI. If you need more data than one string or URI can provide, you’re going to have to provide another claim on the JWT, or more probably, make a network request.