diff --git a/user/email_verification.go b/user/email_verification.go
index 0d0c8fdd..79e40328 100644
--- a/user/email_verification.go
+++ b/user/email_verification.go
@@ -65,30 +65,13 @@ func ParseAndVerifyEmailVerificationToken(token string, issuer url.URL, keys []k
 }
 
 func (e EmailVerification) UserID() string {
-	uid, ok, err := e.Claims.StringClaim("sub")
-	if !ok || err != nil {
-		panic("EmailVerification: no sub claim. This should be impossible.")
-	}
-	return uid
+	return assertStringClaim(e.Claims, "sub")
 }
 
 func (e EmailVerification) Email() string {
-	email, ok, err := e.Claims.StringClaim(ClaimEmailVerificationEmail)
-	if !ok || err != nil {
-		panic("EmailVerification: no email claim. This should be impossible.")
-	}
-	return email
+	return assertStringClaim(e.Claims, ClaimEmailVerificationEmail)
 }
 
 func (e EmailVerification) Callback() *url.URL {
-	cb, ok, err := e.Claims.StringClaim(ClaimEmailVerificationCallback)
-	if !ok || err != nil {
-		panic("EmailVerification: no callback claim. This should be impossible.")
-	}
-
-	cbURL, err := url.Parse(cb)
-	if err != nil {
-		panic("EmailVerificaiton: can't parse callback. This should be impossible.")
-	}
-	return cbURL
+	return assertURLClaim(e.Claims, ClaimEmailVerificationCallback)
 }
diff --git a/user/invitation.go b/user/invitation.go
index b1dbbfb1..4daa503c 100644
--- a/user/invitation.go
+++ b/user/invitation.go
@@ -57,3 +57,24 @@ func ParseAndVerifyInvitationToken(token string, issuer url.URL, keys []key.Publ
 
 	return Invitation{tokenClaims.Claims}, nil
 }
+
+func (iv Invitation) UserID() string {
+	return assertStringClaim(iv.Claims, "sub")
+}
+
+func (iv Invitation) Password() Password {
+	pw := assertStringClaim(iv.Claims, ClaimPasswordResetPassword)
+	return Password(pw)
+}
+
+func (iv Invitation) Email() string {
+	return assertStringClaim(iv.Claims, ClaimEmailVerificationEmail)
+}
+
+func (iv Invitation) ClientID() string {
+	return assertStringClaim(iv.Claims, "aud")
+}
+
+func (iv Invitation) Callback() *url.URL {
+	return assertURLClaim(iv.Claims, ClaimInvitationCallback)
+}
diff --git a/user/password.go b/user/password.go
index e97bf240..2c604029 100644
--- a/user/password.go
+++ b/user/password.go
@@ -257,18 +257,11 @@ func ParseAndVerifyPasswordResetToken(token string, issuer url.URL, keys []key.P
 }
 
 func (e PasswordReset) UserID() string {
-	uid, ok, err := e.Claims.StringClaim("sub")
-	if !ok || err != nil {
-		panic("PasswordReset: no sub claim. This should be impossible.")
-	}
-	return uid
+	return assertStringClaim(e.Claims, "sub")
 }
 
 func (e PasswordReset) Password() Password {
-	pw, ok, err := e.Claims.StringClaim(ClaimPasswordResetPassword)
-	if !ok || err != nil {
-		panic("PasswordReset: no password claim. This should be impossible.")
-	}
+	pw := assertStringClaim(e.Claims, ClaimPasswordResetPassword)
 	return Password(pw)
 }
 
diff --git a/user/user.go b/user/user.go
index 734eaf57..0f79b9d9 100644
--- a/user/user.go
+++ b/user/user.go
@@ -42,6 +42,23 @@ const (
 	ClaimInvitationCallback = "http://coreos.com/invitation/callback"
 )
 
+func assertStringClaim(claims jose.Claims, k string) string {
+	s, ok, err := claims.StringClaim(k)
+	if !ok || err != nil {
+		panic("claims were not validated correctly")
+	}
+	return s
+}
+
+func assertURLClaim(claims jose.Claims, k string) *url.URL {
+	ustring := assertStringClaim(claims, k)
+	ret, err := url.Parse(ustring)
+	if err != nil {
+		panic("url claim was not validated correctly")
+	}
+	return ret
+}
+
 type UserIDGenerator func() (string, error)
 
 func DefaultUserIDGenerator() (string, error) {