ID token claims
Inspect the contents of the ID token
An ID token is a JSON Web Token (JWT) containing cryptographically signed claims about a user’s profile information. Scalekit issues this token after successful authentication. The ID token is a Base64-encoded JSON object with three parts: header, payload, and signature.
Here’s an example of the payload. Note this is formatted for readability and the header and signature fields are skipped.
{ "iss": "https://yoursaas.scalekit.com", "azp": "skc_12205605011849527", "aud": ["skc_12205605011849527"], "amr": ["conn_17576372041941092"], "sub": "conn_17576372041941092;google-oauth2|104630259163176101050", "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "c_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "iat": 1353601026, "exp": 1353604926, "name": "John Doe", "given_name": "John", "family_name": "Doe", "picture": "https://lh3.googleusercontent.com/a/ACg8ocKNE4TZj2kyLOj094kie_gDlUyU7JCZtbaiEma17URCEf=s96-c", "locale": "en", "email": "john.doe@acmecorp.com", "email_verified": true}Full list of ID token claims
Section titled “Full list of ID token claims”| Claim | Presence | Description |
|---|---|---|
aud | Always | Intended audience (client ID) |
amr | Always | Authentication method reference values |
exp | Always | Expiration time (Unix timestamp) |
iat | Always | Issuance time (Unix timestamp) |
iss | Always | Issuer identifier (Scalekit environment URL) |
oid | Always | Organization ID of the user |
sub | Always | Subject identifier for the user |
at_hash | Always | Access token hash |
c_hash | Always | Authorization code hash |
azp | Always | Authorized presenter (usually same as aud) |
email | Always | User’s email address |
email_verified | Optional | Email verification status |
name | Optional | User’s full name |
family_name | Optional | User’s surname or last name |
given_name | Optional | User’s given name or first name |
locale | Optional | User’s locale (BCP 47 language tag) |
picture | Optional | URL of user’s profile picture |
Verifying the ID token
Section titled “Verifying the ID token”In some cases, you may need to parse the ID token manually—for example, to access custom claims that are not part of the standard User object in the SDK method. These details are encoded in the ID token as JSON Web Token (JWT).
To verify the signature, you need to:
- Fetch the public signing keys from the JSON Web Key Set (JWKS) endpoint.
- Use a JWT library for your language to decode and verify the token using the keys.
The JWKS endpoint for your environment is located at:
https://<YOUR_ENVIRONMENT_URL>/keysFor example, if your Scalekit Environment URL is https://your-environment.scalekit.com, the keys can be found at https://your-environment.scalekit.com/keys.
Important claims
Section titled “Important claims”When validating, pay attention to these claims:
iss(Issuer): This must match your Scalekit environment URL.aud(Audience): This must match your application’s client ID.exp(Expiration Time): Ensure the token has not expired.sub(Subject): This uniquely identifies the user, often combining theconnection_idand the identity provider’s unique user ID.amr: Contains theconnection_idused for authentication.
This structure provides a neutral, factual reference for ID token claims in Scalekit, organized according to the data structure itself.
An ID token is a cryptographically signed Base64-encoded JSON object containing name/value pairs about the user’s profile information. It is a JWT token. Validate an ID token before using it. Since you communicate directly with Scalekit over HTTPS and use your client secret to exchange the code for the ID token, you can be confident that the token comes from Scalekit and is valid.
If you use the Scalekit SDK to exchange the code for the ID token, the SDK automatically decodes the base64url-encoded values, parses the JSON, validates the JWT, and accesses the claims within the ID token.