ID Token

An ID Token is a JSON Web Token (JWT) RFC 7519 (opens in a new tab) that has claims per OpenID Connect §2 (opens in a new tab).
In the following example of a raw ID Token:

purple is the header that describes the JWT;
yellow is the payload of the ID Token; and
green is the signature of the JWT.

Compact Format

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJmZWQzOTBlLThkMmYtNDE3NC1iMTM2LTBhN2U1MmM5MWUxZSJ9.eyJpc
3MiOiJodHRwczovL2lzc3Vlci5oZWxsby5jb29wIiwiYXVkIjoiMzU3NGYwMDEtMDg3NC00YjIwLWJmZmQtOGYzZTM3NjM0Mjc0Iiw
ibm9uY2UiOiJiOTU3Y2VhMC1mMTU5LTQzOTAtYmE0OC01YzVkN2U5NDNlYTQiLCJqdGkiOiI4YWQxNjdkMS1kMTcwLTQ2YzktYjNjN
i00N2RkYTczNWE0ZTMiLCJzdWIiOiJmOWUyMWYwZi05ZjBlLTQxYjAtYTU4Yi1jMmQ2M2JjYzdiNGYiLCJzY29wZSI6WyJuYW1lIiw
ibmlja25hbWUiLCJwaWN0dXJlIiwiZW1haWwiLCJvcGVuaWQiXSwibmFtZSI6IkRpY2sgSGFyZHQiLCJuaWNrbmFtZSI6IkRpY2siL
CJwaWN0dXJlIjoiaHR0cHM6Ly9jZG4uaGVsbG8uY29vcC9pbWFnZXMvZGVmYXVsdC1waWN0dXJlLnBuZyIsImVtYWlsIjoiZGljay5
oYXJkdEBoZWxsby5jb29wIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlhdCI6MTY0NTY0MTI4NywiZXhwIjoxNjQ1NjQ0ODg3fQ.vp
pFPOM1kE6qs4s0DbWVGn80P0TOHmE4tmzg78RrJyz4732n5PH4aEgVIqQrKHkSYO8CptA1BhOBW1oRg8YrbWnJP2o8O__tLW8W1j8B
zasW1td_Q_zuWqzz1XemqpLbPVKcS5MNZkYbJXLwXUAgmCOyiWgVlsXRV5D2bWhe-MesbmIaW-Rdnhf_WFuLBjNM0FO3HpdeHkJ4-w
FuzGQhgyputw1-V9yeUWkyqt-9uW09fJCHN6oE3ATA0BA3uGWoFpPRaMb4JKxNdlQkR7OAkofIe_dCLnM9xR5_zDSdGA8j45ufGaIy
1poqbq8PIg52thaWunpwuc8zo9-kiMYuZw

Decoded ID Token

{
    "header": {
        "alg": "RS256",
        "typ": "JWT",
        "kid": "bfed390e-8d2f-4174-b136-0a7e52c91e1e"
    },
    "payload": {
        "iss": "https://issuer.hello.coop",
        "aud": "3574f001-0874-4b20-bffd-8f3e37634274",
        "nonce": "b957cea0-f159-4390-ba48-5c5d7e943ea4",
        "jti": "8ad167d1-d170-46c9-b3c6-47dda735a4e3",
        "sub": "f9e21f0f-9f0e-41b0-a58b-c2d63bcc7b4f",
        "scope": [
            "name",
            "nickname",
            "picture",
            "email",
            "openid"
        ],
        "name": "Dick Hardt",
        "nickname": "Dick",
        "picture": "https://cdn.hello.coop/images/default-picture.png",
        "email": "dick.hardt@hello.coop",
        "email_verified": true,
        "iat": 1669399110,
        "exp": 1669399410
    }
}

Payload Description

Claim	Description
`iss`	Issuer of ID Token. Will always be `https://issuer.hello.coop`
`aud`	Audience of ID Token. Will be your `client_id`
`nonce`	The nonce that you optionally included in your request
`jti`	A unique identifier for this ID Token generated by Hellō
`sub`	The subject of the ID Token. A unique identifier for the user. We recommend you use this to identify your users. See FAQ 10 for details.
`scope`	The scopes returned by Hellō. See FAQ 11 for details.
`name`	The user's full name or legal name.
`nickname`	The user's preferred name, nickname, or username.
`picture`	A user's profile picture URL. See FAQ 12 for details.
`email`	The user's email address.
`email_verified`	Indicates email was verified. Will always be `true` from Hellō
`iat`	The time the ID Token was issued in Epoch time (opens in a new tab)
`exp`	The time the ID Token expires. Hellō sets the expiry to be 5 minutes (300 seconds) after `iat`

Verification Configuration