ID Token
An ID Token is a JSON Web Token (JWT) RFC 7519 (opens in a new tab) that has claims per OpenID Connect §2 (opens in a new tab).
In the following example of a raw ID Token:
purple
is the header that describes the JWT;yellow
is the payload of the ID Token; andgreen
is the signature of the JWT.
Compact Format
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJmZWQzOTBlLThkMmYtNDE3NC1iMTM2LTBhN2U1MmM5MWUxZSJ9.eyJpc
3MiOiJodHRwczovL2lzc3Vlci5oZWxsby5jb29wIiwiYXVkIjoiMzU3NGYwMDEtMDg3NC00YjIwLWJmZmQtOGYzZTM3NjM0Mjc0Iiw
ibm9uY2UiOiJiOTU3Y2VhMC1mMTU5LTQzOTAtYmE0OC01YzVkN2U5NDNlYTQiLCJqdGkiOiI4YWQxNjdkMS1kMTcwLTQ2YzktYjNjN
i00N2RkYTczNWE0ZTMiLCJzdWIiOiJmOWUyMWYwZi05ZjBlLTQxYjAtYTU4Yi1jMmQ2M2JjYzdiNGYiLCJzY29wZSI6WyJuYW1lIiw
ibmlja25hbWUiLCJwaWN0dXJlIiwiZW1haWwiLCJvcGVuaWQiXSwibmFtZSI6IkRpY2sgSGFyZHQiLCJuaWNrbmFtZSI6IkRpY2siL
CJwaWN0dXJlIjoiaHR0cHM6Ly9jZG4uaGVsbG8uY29vcC9pbWFnZXMvZGVmYXVsdC1waWN0dXJlLnBuZyIsImVtYWlsIjoiZGljay5
oYXJkdEBoZWxsby5jb29wIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlhdCI6MTY0NTY0MTI4NywiZXhwIjoxNjQ1NjQ0ODg3fQ.vp
pFPOM1kE6qs4s0DbWVGn80P0TOHmE4tmzg78RrJyz4732n5PH4aEgVIqQrKHkSYO8CptA1BhOBW1oRg8YrbWnJP2o8O__tLW8W1j8B
zasW1td_Q_zuWqzz1XemqpLbPVKcS5MNZkYbJXLwXUAgmCOyiWgVlsXRV5D2bWhe-MesbmIaW-Rdnhf_WFuLBjNM0FO3HpdeHkJ4-w
FuzGQhgyputw1-V9yeUWkyqt-9uW09fJCHN6oE3ATA0BA3uGWoFpPRaMb4JKxNdlQkR7OAkofIe_dCLnM9xR5_zDSdGA8j45ufGaIy
1poqbq8PIg52thaWunpwuc8zo9-kiMYuZw
Decoded ID Token
{
"header": {
"alg": "RS256",
"typ": "JWT",
"kid": "bfed390e-8d2f-4174-b136-0a7e52c91e1e"
},
"payload": {
"iss": "https://issuer.hello.coop",
"aud": "3574f001-0874-4b20-bffd-8f3e37634274",
"nonce": "b957cea0-f159-4390-ba48-5c5d7e943ea4",
"jti": "8ad167d1-d170-46c9-b3c6-47dda735a4e3",
"sub": "f9e21f0f-9f0e-41b0-a58b-c2d63bcc7b4f",
"scope": [
"name",
"nickname",
"picture",
"email",
"openid"
],
"name": "Dick Hardt",
"nickname": "Dick",
"picture": "https://cdn.hello.coop/images/default-picture.png",
"email": "dick.hardt@hello.coop",
"email_verified": true,
"iat": 1669399110,
"exp": 1669399410
}
}
Payload Description
Claim | Description |
---|---|
iss | Issuer of ID Token. Will always be https://issuer.hello.coop |
aud | Audience of ID Token. Will be your client_id |
nonce | The nonce that you optionally included in your request |
jti | A unique identifier for this ID Token generated by Hellō |
sub | The subject of the ID Token. A unique identifier for the user. We recommend you use this to identify your users. See FAQ 10 for details. |
scope | The scopes returned by Hellō. See FAQ 11 for details. |
name | The user's full name or legal name. |
nickname | The user's preferred name, nickname, or username. |
picture | A user's profile picture URL. See FAQ 12 for details. |
email | The user's email address. |
email_verified | Indicates email was verified. Will always be true from Hellō |
iat | The time the ID Token was issued in Epoch time (opens in a new tab) |
exp | The time the ID Token expires. Hellō sets the expiry to be 5 minutes (300 seconds) after iat |