The payload will contain data pertaining to the request and the user making it. There are a set of standard key/value pairs that are defined as part of JWT, which you can use on your implementation:

Sub (Subject): Identifies the user making the request and being authenticated

Iss (Issuer): The server that issued the token. In our case, it would make sense to include the URI used

Aud (Audience): Provides some form of identification of the recipient of this token

Exp (Expiration date): Tokens usually don’t last forever. Exp ensures that whoever is using the token provides a recently generated token

https://blog.logrocket.com/secure-rest-api-jwt-authentication/