Skip to main content
200
{
    "iss" : "https://${projectDomain}",
    "sub" : "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
    "aud" : [
        "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888"
    ],
    "exp" : 1738786128,
    "nbf" : 1738782528,
    "iat" : 1738782528,
    "name" : "Jane Doe",
    "given_name" : "Jane",
    "family_name" : "Doe",
    "middle_name" : "",
    "email" : "sandbox@stytch.com",
    "email_verified" : true,
    "phone_number" : "+12025550162",
    "phone_number_verified" : true
}
An ID Token is a security token that contains claims about the User issued by Stytch to a particular Connected App Client. ID Tokens are issued by the Token Endpoint automatically when the openid scope is granted to the Client during an OAuth flow. The contents of an ID Token depend on the scopes granted to the client:
  • All ID Tokens will always contain the iss, sub, aud, exp, nbf, and iat claims.
  • If the profile scope is granted, the name, given_name, family_name, profile_picture, and locale claims will be returned.
  • If the email scope is granted, the email and email_verified claims will be returned.
  • If the phone scope is granted, the phone_number and phone_number_verified claims will be returned.
ID tokens granted to Connected App clients are JWTs (JSON Web Tokens) signed by your Stytch project’s JWKS (JSON Web Key Set) using the RS256 algorithm. They can be validated locally using any Stytch Backend SDK, or any library that supports the JWT protocol. ID tokens are defined by the OpenID Connect Core specification.

Fields

iss
string
The issuer of the token. By default, this is your project’s Custom Domain, or stytch.com/${projectId} if the token was retrieved using the stytch.com domain. See the Custom Domain guide for more information.
sub
string
The subject of the token. This is a unique identifier for the user.
aud
string
The audience (client_id) that the token is intended for. Additional custom audiences can be defined for the token by setting the access_token_custom_audience parameter on the client object.
exp
number
The expiration time of the token, expressed as a Unix timestamp.
nbf
number
The time before which the JWT must not be accepted for processing, expressed as a Unix timestamp.
iat
number
The time at which the token was issued, expressed as a Unix timestamp.
name
string
The full name of the end-user. This claim is only returned when the client is granted the profile scope.
given_name
string
The given (first) name of the end-user. This claim is only returned when the client is granted the profile scope.
middle_name
string
The middle name of the end-user. This claim is only returned when the client is granted the profile scope.
family_name
string
The family (last) name of the end-user. This claim is only returned when the client is granted the profile scope.
picture
string
The URL of the end-user’s profile picture. This claim is only returned when the client is granted the profile scope.
locale
string
The end-user’s locale, typically in the form of a language tag (e.g., “en-US”). This claim is only returned when the client is granted the profile scope.
email
string
The end-user’s email address. This claim is only returned when the client is granted the email scope.
email_verified
boolean
Indicates whether the end-user’s email address has been verified. This claim is only returned when the client is granted the email scope.
phone_number
string
The end-user’s phone number. This claim is only returned when the client is granted the phone scope.
phone_number_verified
boolean
Indicates whether the end-user’s phone number has been verified. This claim is only returned when the client is granted the phone scope.