ID Tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience. The application receives an ID Token after a user successfully authenticates, then consumes the ID Token and extracts user information from it, which it can then use to personalize the user's experience.
For example, let's say you have built a regular web application, registered it with Auth0, and have configured it to allow a user to log in using Google. Once a user logs in to your app, you can use the ID Token to gather information, such as name and email address, which you can then use to auto-generate and send a personalized welcome email.
ID Token Structure
However, beyond what is required for JWT, ID Tokens also contain claims asserted about the authenticated user, which are pre-defined by the OpenID Connect (OIDC) protocol, and are thus known as standard OIDC claims. Some standard OIDC claims include:
For a full list of standard OIDC claims, see OIDC specification: Standard Claims.
You control which OIDC claims are included in the ID Token consumed by your application by including specific OpenID Connect Scopes in a parameter when you request tokens while authenticating users. To learn how to request an ID Token, see Get an ID Token.
ID Token Security
ID Token Lifetime
By default, an ID Token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, but remember that one of the purposes of this token is to improve performance by caching user information.
To learn how to change the ID Token expiration time, see Update ID Token Lifetime.