ID Token
The ID Token is a security token that contains Claims about authentication. It is a JWT (JSON Web Token) that can be decoded and validated.
JWT Structure
The ID Token is composed of three parts separated by dots:
header.payload.signature- header: Metadata about the token
- payload: The token's claims (information)
- signature: Signature for validation
Standard Claims
The standard Claims are:
sub
Abbreviation of Subject Identifier. Unique identifier of the user in the system.
"sub": "000001"exp
Expiration moment when the ID Token should no longer be accepted as valid. Its value is a JSON number representing the number of seconds since 1970-01-01T0:0:0Z.
"exp": 1697234567iat
Moment when the JWT was issued. Its value is a JSON number representing the number of seconds since 1970-01-01T0:0:0Z.
"iat": 1697230967iss
Abbreviation of Issuer. Represents the entity that issued the JWT.
"iss": "fanbase"aud
Audience for which the ID Token is intended. Your own client_id must be present.
"aud": "exampleclient"profile
Object containing information about the authenticated user. Its fields need to be defined according to each system's needs.
"profile": {
"name": "John Silva",
"email": "john@example.com"
}JWT Decoding
The JWT payload is encoded in Base64URL. You can decode it to view the claims:
function decodeJWT(token) {
const parts = token.split('.');
const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
return payload;
}
const idToken = 'qbcd.1234.xyz';
const claims = decodeJWT(idToken);
console.log(claims);Validation
Before using the ID Token, you must validate it as described in ID Token Validation.