ID Token
An ID Token is a JSON Web Token (JWT) RFC 7519 (opens in a new tab) that has claims per OpenID Connect §2 (opens in a new tab).
In the following example of a raw ID Token:
purpleis the header that describes the JWT;yellowis the payload of the ID Token; andgreenis the signature of the JWT.
Compact Format
eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3AraWRfdG9rZW4iLCJraWQiOiIyMDI1LTAxLTE1VDE2OjU2OjQ5LjY2OFpfNz
M1LTFjNSJ9.eyJpc3MiOiJodHRwczovL2lzc3Vlci5oZWxsby5jb29wIiwiYXVkIjoiYXBwX0hlbGxvRGV2ZWxvcGVyUGx
heWdyb3VuZF9JcTIiLCJub25jZSI6ImZhMzI5NGY4LTIyMmEtNDcwMS04YmUyLWY1Y2YwZDY1NThmZSIsImp0aSI6Imp0a
V9wdXNLQjFZcjhRUk9qQ0FqbGVoNU1yZDFfWmZSIiwic3ViIjoiMjY1YTU2YTMtYWMwNC00NzFjLTgzMmUtNWUxNmE3NGV
iMWYxIiwidGVuYW50IjoicGVyc29uYWwiLCJuYW1lIjoiRGljayBIYXJkdCIsInBpY3R1cmUiOiJodHRwczovL3BpY3R1c
mVzLmhlbGxvLmNvb3AvYXZhdGFyLzFjOGNlMzZlMDczNWFhY2ViYmUyZDUxNjk0ODJjODY3P3M9MjU2LGQ9aWRlbnRpY29
uIiwiZW1haWwiOiJkaWNrLmhhcmR0QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpYXQiOjE3NTUyNDkzM
TQsImV4cCI6MTc1NTI0OTYxNCwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IkxBT25iQU1
FRWROYS16UzFoeG9WWTVIZkp5aWFLRlNIVjVfRWJBY0lBdDQiLCJ5IjoiUDh1QkliNmYxX2VQUU13QjcwS0lVaEowV2pXd
jJQQ1BLcjJwVlhpTndROCJ9fX0.lpvNCaNaQRSH-XSXg_YDKwJfprtpkr7L2DanDUhXRZ8uAlDyOdDXJm6weEXrHiq9UQC
8WGatmQ8V__jeTntPe8njID3MrfSY5jtS3AATfACC8oOqt_NPExW3noKBMjzLP50aa8JPBdu39YBnfOA78tL4K0GcCNDk9
ctKf8dJktb4URnl4n7yYpJ_VCFp44bujpoxyr-SXBzZn8Zo2PY0oOApnAICiLs0iS9KhAegEP55Vo4m9Y2uER7YtIGA2S1
iUwBbgx0XoFeIn4jQtMNydaksmbPqZFtAFNUKUM85KFnKAx_OMrhqEU0b3lc4kbR1Na_orr4Ucm1e-_pYk_UlOgDecoded ID Token
Note: The following example includes the cnf claim that appears when the dpop scope is requested:
{
"header": {
"alg": "RS256",
"typ": "dpop+id_token",
"kid": "2025-01-15T16:56:49.668Z_735-1c5"
},
"payload": {
"iss": "https://issuer.hello.coop",
"aud": "app_HelloDeveloperPlayground_Iq2",
"nonce": "fa3294f8-222a-4701-8be2-f5cf0d6558fe",
"jti": "jti_pusKB1Yr8QROjCAjleh5Mrd1_ZfR",
"sub": "265a56a3-ac04-471c-832e-5e16a74eb1f1",
"tenant": "personal",
"name": "Dick Hardt",
"picture": "https://pictures.hello.coop/avatar/1c8ce36e0735aacebbe2d5169482c867?s=256,d=identicon",
"email": "dick.hardt@gmail.com",
"email_verified": true,
"iat": 1755249314,
"exp": 1755249614,
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "LAOnbAMEEdNa-zS1hxoVY5HfJyiaKFSHV5_EbAcIAt4",
"y": "P8uBIb6f1_ePQMwB70KIUhJ0WjWv2PCPKr2pVXiNwQ8"
}
}
}
}Decoded ID Token From Managed Account
{
"header": {
"alg":"RS256",
"typ":"JWT",
"kid":"2024-07-04T22:20:39.286Z_1e0-a23"
},
"payload": {
"iss": "https://issuer.hello.coop",
"aud": "app_HelloDeveloperPlayground_Iq2",
"nonce": "1893877889423231951",
"jti": "jti_1kY5VpEWg3IHSa7xha4ati10_PN5",
"sub": "7f294906-9c9e-4e1b-a690-4c9e9d4c285d",
"picture": "https://pictures.hello.coop/r/7c9ae192-363c-409e-945a-f25e5833e375.jpeg",
"email": "dick.hardt@hello.coop",
"email_verified": true,
"name": "Dick Hardt",
"iat": 1729709582,
"exp": 1729709882,
"tenant": "org_9yMcnK3agJyUDxOBp19gpSe8_PU1"
},
}Payload Description
| Claim | Description |
|---|---|
iss | Issuer of ID Token. Will always be https://issuer.hello.coop |
aud | Audience of ID Token. Will be your client_id |
nonce | The nonce that you optionally included in your request |
jti | A unique identifier for this ID Token generated by Hellō |
sub | The subject of the ID Token. A unique identifier for the user. We recommend you use this to identify your users. See FAQ 10 for details. |
name | The user's full name or legal name. |
picture | A user's profile picture URL. See FAQ 12 for details. |
email | The user's email address. |
email_verified | Indicates email was verified. Will always be true from Hellō |
iat | The time the ID Token was issued in Epoch time (opens in a new tab) |
exp | The time the ID Token expires. Hellō sets the expiry to be 5 minutes (300 seconds) after iat |
tenant | The Hellō identifier for the organization. Similar to sub, use this to identify the organization. Set to personal for personal accounts. |
cnf | Confirmation claim containing the public key bound to the ID token when using dpop scope. |