Authyo Docs
  1. Session Management
Authyo Docs
  • 🐶 Walk through Authyo
  • Error Codes
  • About Pricing
  • APIs
    • Send OTP
      GET
    • Send OTP
      POST
    • Verify OTP
      GET
    • Verify Token
      POST
    • Revoke User Session
      POST
  • Web SDKs
    • JavaScript
    • PHP
    • AngularJS Examples
    • TypeScript Examples
    • React JS
    • Vue JS Examples
  • Native/Mobile SDKs
    • Flutter
  • Integration
    • Google Sheet
    • Firebase
  • Session Management
    • Introductions
    • JWT Token
  1. Session Management

JWT Token

Understanding Claims in Session JWT Token#

Learn how to decode and understand the claims in a session JWT token generated by Authyo.

Understanding JWT Claims#

JWT (JSON Web Token) claims are data elements embedded inside a token that carry information about the authenticated user and their session. These claims help applications securely identify users, enforce authorization rules, and maintain session integrity.
An Authyo JWT token is made up of three distinct sections:
Header – Contains metadata about the token, such as the signing algorithm and token type.
Payload – Holds the actual claims, like user identifiers, roles, or session-related data.
Signature – A cryptographic component that validates the token’s authenticity and ensures it hasn’t been altered.
By validating claims, applications can decide what actions a user is permitted to perform and confirm that a session is still valid.

Decoding an Example JWT#

To better understand how JWTs work in Authyo, let’s break down a sample session token.

Example Encoded JWT#

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImF1dGh5by1rZXktaWQifQ.eyJzdWIiOiI3ZjIzYzEyZS1hZTVjLTRmZjgtODQwYS0xZjEzZjY0ZjE1ZTciLCJpc3MiOiJodHRwczovL2F1dGh5by5pbyIsIm5hbWUiOiJKb2huIERvZSIsInNlc3Npb25JZCI6IjdmMjNjMTJlLWFlNWMtNGZmOC04NDBhLTFmMTNmNjRmMTVlNyIsImV4cCI6MTczMzU3MDYwMCwiaWF0IjoxNzMzNDgzMjAwLCJ1c2VySWQiOiJVU0VyLTIzYjQ1NmFiLTJhMzAtNDMzZi1hYmRlLWE4NzAxNDU2Zjk4YiIsImVtYWlsIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJwaG9uZSI6IjkxOTg3NjU0MzIxMCJ9.R9u4UZcnQ6gZUp8lk43sZ6zVx8OuGnTS2RDAy0Uj8T2Bp8b1L35p-2xxt0P72w7zO8ojJHYtZDh1W87AAp9xtFCaXIdSqq79l2d7grEhX2kQt1lU8A-0Qeckj6XvNN2SHqImKTh72ik7I5EoO0dyH7b9nLw5ZvFss9

Decoded Payload#

{
  "sub": "7f23c12e-ae5c-4ff8-840a-1f13f64f15e7",
  "iss": "https://authyo.io",
  "aud": "5f12c12e-a1fc-4ff8-840a-1f13f64f15e7",
  "sessionId": "7f23c12e-ae5c-4ff8-840a-1f13f64f15e7",
  "exp": 1733570600,
  "iat": 1733484200,
  "userId": "AY-23b456ab-2a30-433f-abde-a8701456f98b",
  "email": "john.doe@example.com",
  "phone": "91874512563",
  "channel": "SMS"
}

Explanation of Claims#

1.
sub – (Subject) unique identifier for the session.
2.
iss – (Issuer) The entity that issued the token. For Authyo, this is always https://authyo.io.
3.
aud – App Id.
4.
exp – Expiration timestamp (when the token becomes invalid).
5.
iat – Issued-at timestamp (when the token was created).
6.
userId – Unique Authyo user ID.
7.
email – User’s email address.
8.
phone – User’s verified phone number.
9.
channel – Indicates the authentication channel used to deliver the OTP/login request. Possible values: "SMS", "Email", "VoiceCall", "WhatsApp"

How to Validate Claims#

To validate a JWT token:
1.
Check the iss Claim: Ensure the token was issued by Authyo (https://authyo.io).
2.
Verify the Signature: Use the clientSecret associated with application to ensure the token is not tampered with.
3.
Check Expiry (exp): Ensure the token has not expired.
4.
Confirm Audience (aud): Match the aud with the Authyo App Id.
Modified at 2025-09-27 12:36:49
Previous
Introductions
Built with