9May
Why are JWT claims called claims?
In authentication, the term 'claim' is used to describe elements like user identity that has not yet been challenged and verified. My understanding is that a 'claim' typically refers to something that has not yet been verified as either true or false.
This makes sense during the authentication process, where a user's claimed identity needs to be validated.
However, in other contexts, such as contexts involving JWTs, where tokens are issued by a trusted authority and carry signed assertions, why do we still refer to the information within these tokens as 'claims'? If the JWT is valid and from a trusted source, why does the term 'claim' continue to imply a need for verification?
