An Access Token is a credential used to access protected resources. An access token represents an authorization issued to a particular Connected App Client by a Stytch User. Access Tokens are issued by the Token Endpoint automatically at the end of every successful OAuth flow. Access Tokens embed the authorization granted to a Connected App Client within the scope field. Stytch supports the standard OpenID scopes:Documentation Index
Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
openid, profile, email, phone, and offline_access.
Access tokens granted to Connected App clients are JWTs (JSON Web Tokens) signed by your Stytch project’s JWKS (JSON Web Key Set) using the RS256 algorithm. They can be validated locally by using a Stytch Backend SDK, or any library that supports the JWT protocol.
Fields
The issuer of the token. By default, this is your project’s Custom Domain, or
stytch.com/${projectId} if the token was retrieved using the stytch.com domain. See the Custom Domain guide for more information.The subject of the token. This is a unique identifier for the user.
The audience (
client_id) that the token is intended for. Additional custom audiences can be defined for the token by setting the access_token_custom_audience parameter on the client object.The expiration time of the token, expressed as a Unix timestamp.
The time before which the JWT must not be accepted for processing, expressed as a Unix timestamp.
The time at which the token was issued, expressed as a Unix timestamp.
A unique identifier for the JWT.
A space separated list of scopes granted to the client. For example,
read:users write:users.