What is difference between private and public claims on jwt?
I'm confused with the difference between those two claims. From what I understand they are both custom claims. So what is the difference?
Asked
Active
Viewed 3,718 times
2 Answers
12
Public claims
Custom claim names that are required to be collision resistant. Their names should be UUIDs or prefixed by a URL to create a safe namespace for them and avoid collisions.
Private claims
Custom claim names that are not required to be collision resistant.
What is difference between private and public claims on jwt?
Only difference is public claims are required to be universally collision resistant while private claims are not.
Julien
- 719
- 8
- 14
Mike Ezzati
- 2,218
- 1
- 19
- 31
-
2thanks for the reply. How do you set a public claim and private claim? – NewDev Mar 12 '18 at 01:36
-
6Since JWT payload is a JSON, technically you can put any key/value pair as claim in there and sign it. Any non-registered claim's name/key that complies to public claim rules is a public claim, otherwise its a private claim. – Mike Ezzati Mar 12 '18 at 08:02
-
1Could you please provide an example to make it more straightforward? – Ryan Lyu Feb 26 '21 at 04:57
1
Public claims are like public API that defined for public consumption. They should be well documented. RFC7519 defines several ways to do it.
- You can register public claim name in the public IANA "JSON Web Token Claims" registry specified in RFC. There is whole process of approval around it. See section 10.1 https://tools.ietf.org/html/rfc7519#section-10.1
- You have to make sure that public claim name is collision-resistant, i.e. are highly unlikely to collide with other names. Examples are UUID, OID or Domain names
Private claims are claims that are known only to the producer and consumer of a JWT. Private claim names are not collision-resistant and should be used with clear understanding of this and care...
