Docs

Validate ID Tokens

An ID Token, which contains user profile attributes, is consumed by an app and is typically used for user interface display. Auth0 issues all ID Tokens in JSON Web Token (JWT) format.

If any of these checks fail, the token is considered invalid, and the request must be rejected.

  1. Validate the JSON Web Token.

  2. Check additional standard claims. If you've performed the standard JWT validation, you have already decoded the JWT's Payload and looked at its standard claims. Additional claims to verify for ID Tokens include:

    • Token audience (aud, string): The audience value for the token must match the client ID of the application as defined in your Application's Settings in the Client ID field.
    • Nonce (nonce, string): Passing a nonce in the token request is recommended (required for the Implicit Flow) to help prevent replay attacks. The nonce value in the token must exactly match the original nonce sent in the request. To learn more how to use nonces in token requests, see Mitigate Replay Attacks.

Keep reading