ID Token

An ID Token is a JSON Web Token (JWT) RFC 7519 (opens in a new tab) that has claims per OpenID Connect §2 (opens in a new tab).
In the following example of a raw ID Token:

purple is the header that describes the JWT;
yellow is the payload of the ID Token; and
green is the signature of the JWT.

Compact Format

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjIwMjQtMDctMDRUMjI6MjA6MzkuMjg2Wl8xZTAYTIzIn00.ey
Jpc3MiOiJodHRwczovL2lzc3Vlci5oZWxsby5jb29wIiwiYXVkIjoiYXBwX0hlbGxvRGV2ZWxvcGVyUGxheWdyb3VuZF9Jc
TIiLCJub25jZSI6IjE4OTM4Nzc4ODk0MjMyMzE5NTEiLCJqdGkiOiJqdGlfd0ZHdWdpQXp1WVBxTkh2ajJuUnI2enhvX0lq
biIsInN1YiI6IjI2NWE1NmEzLWFjMDQtNDcxYy04MzJlLTVlMTZhNzRlYjFmMSIsIm5hbWUiOiJEaWNrIEhhcmR0IiwicGl
jdHVyZSI6Imh0dHBzOi8vcGljdHVyZXMuaGVsbG8uY29vcC9yLzdjOWFlMTkyLTM2M2MtNDA5ZS05NDVhLWYyNWU1ODMzZT
M3NS5qcGVnIiwiZW1haWwiOiJkaWNrLmhhcmR0QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpYXQiOjE3M
jk3MDkwNjcsImV4cCI6MTcyOTcwOTM2N30.caUbiKPYAusalMYJcGj8w726pE8WvfYwlDtms3tMovj7U9eGTwqQykf_tlbz
IrJ4m6KofsriScGrm_2RAiaZTfk3srbWu21WhaLxqHhkbqu0lntNzkgVCjROv_CQ5YcsXh4L0aAJmKpkL3lVATMQSMxBUY0
bnmDT5jKO2ldxse4WAGSYssSUy1O6YzsjcvRpL3shuTYNkx2NMrqBO2kdTEuFL3IeH8cRFI6x52w7TJKJXs0n8qRVdaul64
URRrQrhTidVfCdFwswdrUZ3pdyhiTLlhC9Kn9Dtk5F3KVd0SEuzcb9cBJzNvV-vO-j7b-siqUJV4du3Q

Decoded ID Token

{
    "header": {
        "alg":"RS256",
        "typ":"JWT",
        "kid":"2024-07-04T22:20:39.286Z_1e0-a23"
    },
    "payload": {
        "iss": "https://issuer.hello.coop",
        "aud": "app_HelloDeveloperPlayground_Iq2",
        "nonce": "1893877889423231951",
        "jti": "jti_wFGugiAzuYPqNHvj2nRr6zxo_Ijn",
        "sub": "265a56a3-ac04-471c-832e-5e16a74eb1f1",
        "name": "Dick Hardt",
        "picture": "https://pictures.hello.coop/r/7c9ae192-363c-409e-945a-f25e5833e375.jpeg",
        "email": "dick.hardt@gmail.com",
        "email_verified": true,
        "iat": 1729709067,
        "exp": 1729709367
    }
}

Decoded ID Token From Managed Account

{
    "header": {
        "alg":"RS256",
        "typ":"JWT",
        "kid":"2024-07-04T22:20:39.286Z_1e0-a23"
    },
    "payload": {
        "iss": "https://issuer.hello.coop",
        "aud": "app_HelloDeveloperPlayground_Iq2",
        "nonce": "1893877889423231951",
        "jti": "jti_1kY5VpEWg3IHSa7xha4ati10_PN5",
        "sub": "7f294906-9c9e-4e1b-a690-4c9e9d4c285d",
        "picture": "https://pictures.hello.coop/r/7c9ae192-363c-409e-945a-f25e5833e375.jpeg",
        "email": "dick.hardt@hello.coop",
        "email_verified": true,
        "name": "Dick Hardt",
        "iat": 1729709582,
        "exp": 1729709882,
        "org": {
            "id": "org_9yMcnK3agJyUDxOBp19gpSe8_PU1",
            "domain": "hello.coop"
        },
        "org_claims": [
            "picture",
            "email",
            "name"
        ]
    },
}

Payload Description

Claim	Description
`iss`	Issuer of ID Token. Will always be `https://issuer.hello.coop`
`aud`	Audience of ID Token. Will be your `client_id`
`nonce`	The nonce that you optionally included in your request
`jti`	A unique identifier for this ID Token generated by Hellō
`sub`	The subject of the ID Token. A unique identifier for the user. We recommend you use this to identify your users. See FAQ 10 for details.
`name`	The user's full name or legal name.
`picture`	A user's profile picture URL. See FAQ 12 for details.
`email`	The user's email address.
`email_verified`	Indicates email was verified. Will always be `true` from Hellō
`iat`	The time the ID Token was issued in Epoch time (opens in a new tab)
`exp`	The time the ID Token expires. Hellō sets the expiry to be 5 minutes (300 seconds) after `iat`
`org.id`	The Hellō identifier for the organization. Similar to `sub`, use this to identify the organization
`org.domain`	The domain of the organization. Note the organization may change this
`org_claims`	Array of claims that came from the organization

Verification Configuration