ID Tokens

ID tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience. The application receives an ID token after a user successfully authenticates, then consumes the ID token and extracts user information from it, which it can then use to personalize the user's experience.

For example, suppose you have a regular web app that you register it with Auth0 and configure to allow users to login with Google. Once a user logs in, use the ID token to gather information such as name and email address, which you can then use to auto-generate and send a personalized welcome email.

ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions.

ID token security

As with other JWTs, you should follow token usage best practices when using and storing ID tokens.

Be sure to validate ID tokens before using the information it contains. You can use a library to help with this task.

Securing apps that make API calls come with their own set of concerns. You'll need to ensure that tokens and other sensitive data are not vulnerable to cross-site scripting (XSS) and can't be read by malicious JavaScript.

ID token lifetime

By default, an ID token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, keeping in mind that one of the purposes of the token is to improve user experience by caching user information. See Update ID Token Lifetime for details.

Learn more