> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agentkit`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # ID token claims Inspect the contents of the ID token An ID token is a JSON Web Token (JWT) containing cryptographically signed claims about a user's profile information. Scalekit issues this token after successful authentication. The ID token is a Base64-encoded JSON object with three parts: header, payload, and signature. Here's an example of the payload. Note this is formatted for readability and the header and signature fields are skipped. ```json title="Sample IdToken payload" frame="terminal" { "iss": "https://yoursaas.scalekit.com", "azp": "skc_12205605011849527", "aud": ["skc_12205605011849527"], "amr": ["conn_17576372041941092"], "sub": "conn_17576372041941092;google-oauth2|104630259163176101050", "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "c_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "iat": 1353601026, "exp": 1353604926, "name": "John Doe", "given_name": "John", "family_name": "Doe", "picture": "https://lh3.googleusercontent.com/a/ACg8ocKNE4TZj2kyLOj094kie_gDlUyU7JCZtbaiEma17URCEf=s96-c", "locale": "en", "email": "john.doe@acmecorp.com", "email_verified": true } ``` ## Full list of ID token claims | Claim | Presence | Description | | ------------------------------------------------------------------ | -------- | -------------------------------------------- | | `aud` | Always | Intended audience (client ID) | | `amr` | Always | Authentication method reference values | | `exp` | Always | Expiration time (Unix timestamp) | | `iat` | Always | Issuance time (Unix timestamp) | | `iss` | Always | Issuer identifier (Scalekit environment URL) | | `oid` | Always | Organization ID of the user | | `sub` | Always | Subject identifier for the user | | `at_hash` | Always | Access token hash | | `c_hash` | Always | Authorization code hash | | `azp` | Always | Authorized presenter (usually same as `aud`) | | `email` | Always | User's email address | | `email_verified` | Optional | Email verification status | | `name` | Optional | User's full name | | `family_name` | Optional | User's surname or last name | | `given_name` | Optional | User's given name or first name | | `locale` | Optional | User's locale (BCP 47 language tag) | | `picture` | Optional | URL of user's profile picture | ## Verifying the ID token In some cases, you may need to parse the ID token manually—for example, to access custom claims that are not part of the standard `User` object in the SDK method. These details are encoded in the ID token as JSON Web Token (JWT). If you use the Scalekit SDK, token validation is handled automatically. For non-SDK integrations (e.g., Ruby, PHP, or other languages), follow the steps below. ### Key validation parameters | Parameter | Value | |-----------|-------| | Signing algorithm | `RS256` | | JWKS endpoint | `https:///keys` | | Issuer (`iss`) | Your Scalekit environment URL (e.g., `https://yourapp.scalekit.com`) | | OpenID configuration | `https:///.well-known/openid-configuration` | ### Manual validation steps To verify the signature manually: 1. Fetch the OpenID configuration from `https:///.well-known/openid-configuration` to discover `issuer` and `jwks_uri`. 2. Fetch the public signing keys from the `jwks_uri` (e.g., `https:///keys`). 3. Use a JWT library for your language to decode and verify the token with `RS256` using those keys. 4. Validate the required claims listed below. ### Important claims When validating, pay attention to these claims: - **`iss` (Issuer)**: This must match your Scalekit environment URL. - **`aud` (Audience)**: This must match your application's client ID. - **`exp` (Expiration Time)**: Ensure the token has not expired. - **`sub` (Subject)**: This uniquely identifies the user, often combining the `connection_id` and the identity provider's unique user ID. - **`amr`**: Contains the `connection_id` used for authentication. This structure provides a neutral, factual reference for ID token claims in Scalekit, organized according to the data structure itself. An ID token is a cryptographically signed Base64-encoded JSON object containing name/value pairs about the user's profile information. It is a JWT token. Validate an ID token before using it. Since you communicate directly with Scalekit over HTTPS and use your client secret to exchange the `code` for the ID token, you can be confident that the token comes from Scalekit and is valid. If you use the Scalekit SDK to exchange the code for the ID token, the SDK automatically decodes the base64url-encoded values, parses the JSON, validates the JWT, and accesses the claims within the ID token. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |