Include sub (user ID), email, roles, iat, exp, and jti for revocation. Keep payloads small — they travel with every request. Never include passwords, sensitive PII, credit card numbers, or SSNs. JWTs are Base64-encoded and readable by anyone who holds the token without needing the secret.
JWTs are Base64url-encoded — not encrypted by default; anyone with the token can read the payload.
Include only what guards and services need to avoid a database lookup on every request.
jti (JWT ID) enables per-token revocation via a Redis blacklist without invalidating all tokens.
Avoid embedding frequently-changing data like permissions — stale data in long-lived tokens causes bugs.
Use JWE (JSON Web Encryption) if the payload must contain sensitive data and cannot be avoided.