Skip to content

ID token claims

An ID token is a JSON Web Token (JWT) containing cryptographically signed claims about a user’s profile information. This is issued by Scalekit after successful authentication. The ID token is a Base64-encoded JSON object with three parts: header, payload, and signature.

Here’s an example of the payload. Note this is formatted for readability and the header and signature fields are skipped.

Sample IdToken payload
{
"iss": "https://yoursaas.scalekit.com",
"azp": "skc_12205605011849527",
"aud": ["skc_12205605011849527"],
"amr": ["conn_17576372041941092"],
"sub": "conn_17576372041941092;google-oauth2|104630259163176101050",
"at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"c_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"iat": 1353601026,
"exp": 1353604926,
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"picture": "https://lh3.googleusercontent.com/a/ACg8ocKNE4TZj2kyLOj094kie_gDlUyU7JCZtbaiEma17URCEf=s96-c",
"locale": "en",
"email": "john.doe@acmecorp.com",
"email_verified": true
}
ClaimPresenceDescription
audAlwaysIntended audience (client ID)
amrAlwaysAuthentication method reference values
expAlwaysExpiration time (Unix timestamp)
iatAlwaysIssuance time (Unix timestamp)
issAlwaysIssuer identifier (Scalekit environment URL)
oidAlwaysOrganization ID of the user
subAlwaysSubject identifier for the user
at_hashAlwaysAccess token hash
c_hashAlwaysAuthorization code hash
azpAlwaysAuthorized presenter (usually same as aud)
emailAlwaysUser’s email address
email_verifiedOptionalEmail verification status
nameOptionalUser’s full name
family_nameOptionalUser’s surname or last name
given_nameOptionalUser’s given name or first name
localeOptionalUser’s locale (BCP 47 language tag)
pictureOptionalURL of user’s profile picture

In some cases, you may need to parse the ID token manually—for example, to access custom claims that are not part of the standard User object in the SDK method. These details are encoded in the ID token as JSON Web Token (JWT).

To verify the signature, you need to:

  1. Fetch the public signing keys from the JSON Web Key Set (JWKS) endpoint.
  2. Use a JWT library for your language to decode and verify the token using the keys.

The JWKS endpoint for your environment is located at:

Terminal window
https://<YOUR_ENVIRONMENT_URL>/keys

For example, if your Scalekit Environment URL is https://your-environment.scalekit.com, the keys can be found at https://your-environment.scalekit.com/keys.

When validating, pay special attention to these claims:

  • iss (Issuer): This must match your Scalekit environment URL.
  • aud (Audience): This must match your application’s client ID.
  • exp (Expiration Time): Ensure the token has not expired.
  • sub (Subject): This uniquely identifies the user, often combining the connection_id and the identity provider’s unique user ID.
  • amr: Contains the connection_id used for authentication.

This structure provides a neutral, factual reference for ID token claims in Scalekit, organized according to the data structure itself.

An ID token is nothing but a cryptographically signed Base64-encoded JSON object containing a set of name/value pairs about the user’s profile information. Essentially, it is a JWT token. Ideally, it is advised that you validate an ID token before you use it, but since you are communicating directly with Scalekit over an intermediary-free HTTPS channel and using your client secret to exchange the code for the ID token, you can be confident that the token you receive really comes from Scalekit and is valid.

If you are using our Scalekit SDK to exchange the code for the ID token, the work of decoding the base64url-encoded values and parsing the JSON within, validating the JWT and accessing the claims within the ID token is automatically taken care of.