ID Tokens

ID Tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience. The application receives an ID Token after a user successfully authenticates, then consumes the ID Token and extracts user information from it, which it can then use to personalize the user's experience.

For example, let's say you have built a regular web application, registered it with Auth0, and have configured it to allow a user to log in using Google. Once a user logs in to your app, you can use the ID Token to gather information, such as name and email address, which you can then use to auto-generate and send a personalized welcome email.

ID Token security

As with any other JWTs, you should follow token best practices when using ID Tokens.

Be sure to validate an ID Token before using the information it contains! You can use a library to help with this task.

ID Token lifetime

By default, an ID Token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, keeping in mind that one of the purposes of the token is to improve user experience by caching user information.

To learn how to change the ID Token expiration time, see Update ID Token Lifetime.

Keep reading