Skip to main content

Inspect Claims in ID Token

An ID Token is a JSON Web Token (JWT) containing cryptographically signed claims about a user's profile information. This is issued by Scalekit after successful authentication. The ID Token is a Base64-encoded JSON object with three parts: header, payload, and signature.

Here's an example of the payload. Note this is formatted for readability and the header and signature fields are skipped.

Sample Payload

{
"iss": "https://yoursaas.scalekit.com",
"azp": "skc_12205605011849527",
"aud": ["skc_12205605011849527"],
"amr": ["conn_17576372041941092"],
"sub": "conn_17576372041941092;google-oauth2|104630259163176101050",
"at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"c_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"iat": 1353601026,
"exp": 1353604926,
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"picture": "https://lh3.googleusercontent.com/a/ACg8ocKNE4TZj2kyLOj094kie_gDlUyU7JCZtbaiEma17URCEf=s96-c",
"locale": "en",
"email": "john.doe@acmecorp.com",
"email_verified": true
}

Full list of ID Token Claims

ClaimPresenceDescription
audAlwaysIntended audience (client ID)
amrAlwaysAuthentication Method Reference values
expAlwaysExpiration time (Unix timestamp)
iatAlwaysIssuance time (Unix timestamp)
issAlwaysIssuer identifier (Scalekit environment URL)
oidAlwaysOrganization ID of the user
subAlwaysSubject identifier for the user
at_hashAlwaysAccess token hash
c_hashAlwaysAuthorization code hash
azpAlwaysAuthorized presenter (usually same as aud)
emailAlwaysUser's email address
email_verifiedOptionalEmail verification status
nameOptionalUser's full name
family_nameOptionalUser's surname or last name
given_nameOptionalUser's given name or first name
localeOptionalUser's locale (BCP 47 language tag)
pictureOptionalURL of user's profile picture

Usage Notes

  1. The ID Token is received over a secure HTTPS channel using the client secret.
  2. Validation of the ID Token is handled automatically when using the Scalekit SDK.
  3. The sub claim combines the connection_id and the provider's unique identifier.
  4. The iss claim must match your Scalekit environment URL.
  5. The amr claim typically contains the connection_id used for authentication.

This structure provides a neutral, factual reference for ID Token Claims in Scalekit, organized according to the data structure itself.

An ID Token is nothing but a cryptographically signed Base64-encoded JSON object containing a set of name/value pairs about the user's profile information. Essentially, it is a JWT token. Ideally, it is advised that you validate an ID token before you use it, but since you are communicating directly with Scalekit over an intermediary-free HTTPS channel and using your client secret to exchange the code for the ID Token, you can be confident that the token you receive really comes from Scalekit and is valid.

If you are using our Scalekit SDK to exchange the code for the ID Token, the work of decoding the base64url-encoded values and parsing the JSON within, validating the JWT and accessing the claims within the ID token is automatically taken care of.


Is this page helpful? Yes No