> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Connected App ID Token Object

An **ID Token** is a security token that contains claims about the User issued by Stytch to a particular Connected App Client.

ID Tokens are issued by the [Token Endpoint](../exchange-authorization-code) automatically when the openid scope is granted to the Client during an OAuth flow.

The contents of an ID Token depend on the scopes granted to the client:

* All ID Tokens will always contain the `iss`, `sub`, `aud`, `exp`, `nbf`, and `iat` claims.
* If the `profile` scope is granted, the `name`, `given_name`, `family_name`, `profile_picture`, and `locale` claims will be returned.
* If the `email` scope is granted, the `email` and `email_verified` claims will be returned.
* If the `phone` scope is granted, the `phone_number` and `phone_number_verified` claims will be returned.

ID tokens granted to Connected App clients are **JWTs (JSON Web Tokens)** signed by your Stytch project's [**JWKS (JSON Web Key Set)**](../configuration/get-jwks) using the RS256 algorithm. They can be validated locally using any Stytch Backend SDK, or any library that supports the JWT protocol.

ID tokens are defined by the [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1%5F0.html#IDToken) specification.

### Fields

<ResponseField name="iss" type="string">
  The issuer of the token. By default, this is your project's Custom Domain, or `stytch.com/${projectId}` if the token was retrieved using the stytch.com domain. See the [Custom Domain](/connected-apps/resources/custom-domains) guide for more information.
</ResponseField>

<ResponseField name="sub" type="string">
  The subject of the token. This is a unique identifier for the user.
</ResponseField>

<ResponseField name="aud" type="string">
  The audience (`client_id`) that the token is intended for. Additional custom audiences can be defined for the token by setting the `access_token_custom_audience` parameter on the client object.
</ResponseField>

<ResponseField name="exp" type="number">
  The expiration time of the token, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="nbf" type="number">
  The time before which the JWT must not be accepted for processing, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="iat" type="number">
  The time at which the token was issued, expressed as a Unix timestamp.
</ResponseField>

<ResponseField name="name" type="string">
  The full name of the end-user. This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="given_name" type="string">
  The given (first) name of the end-user. This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="middle_name" type="string">
  The middle name of the end-user. This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="family_name" type="string">
  The family (last) name of the end-user. This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="picture" type="string">
  The URL of the end-user's profile picture. This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="locale" type="string">
  The end-user's locale, typically in the form of a language tag (e.g., "en-US"). This claim is only returned when the client is granted the `profile` scope.
</ResponseField>

<ResponseField name="email" type="string">
  The end-user's email address. This claim is only returned when the client is granted the `email` scope.
</ResponseField>

<ResponseField name="email_verified" type="boolean">
  Indicates whether the end-user's email address has been verified. This claim is only returned when the client is granted the `email` scope.
</ResponseField>

<ResponseField name="phone_number" type="string">
  The end-user's phone number. This claim is only returned when the client is granted the `phone` scope.
</ResponseField>

<ResponseField name="phone_number_verified" type="boolean">
  Indicates whether the end-user's phone number has been verified. This claim is only returned when the client is granted the `phone` scope.
</ResponseField>

<Panel>
  ```json 200 theme={null}
  {
      "iss" : "https://${projectDomain}",
      "sub" : "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
      "aud" : [
          "connected-app-test-d731954d-dab3-4a2b-bdee-07f3ad1be888"
      ],
      "exp" : 1738786128,
      "nbf" : 1738782528,
      "iat" : 1738782528,
      "name" : "Jane Doe",
      "given_name" : "Jane",
      "family_name" : "Doe",
      "middle_name" : "",
      "email" : "sandbox@stytch.com",
      "email_verified" : true,
      "phone_number" : "+12025550162",
      "phone_number_verified" : true
  }
  ```
</Panel>
