ID Tokens

ID Tokens

ID Tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience. The application receives an ID Token after a user successfully authenticates, then consumes the ID Token and extracts user information from it, which it can then use to personalize the user's experience.

For example, let's say you have built a regular web application, registered it with Auth0, and have configured it to allow a user to log in using Google. Once a user logs in to your app, you can use the ID Token to gather information, such as name and email address, which you can then use to auto-generate and send a personalized welcome email.

ID Token Structure

ID Tokens follow the JSON Web Token (JWT) standard, which means that their basic structure conforms to the typical JWT Structure, and they contain standard JWT Claims asserted about the token itself.

However, beyond what is required for JWT, ID Tokens also contain claims asserted about the authenticated user, which are pre-defined by the OpenID Connect (OIDC) protocol, and are thus known as standard OIDC claims. Some standard OIDC claims include:

  • name
  • nickname
  • picture
  • email
  • email_verified

For a full list of standard OIDC claims, see OIDC specification: Standard Claims.

You control which OIDC claims are included in the ID Token consumed by your application by including specific OpenID Connect Scopes in a parameter when you request tokens while authenticating users. To learn how to request an ID Token, see Get an ID Token.

You can also create custom claims, which are claims that you define, control, and add to a token using a rule.

ID Token Security

As with any other JWTs, you should follow token best practices when using ID Tokens and validate an ID Token before assuming that its contents can be trusted.

ID Token Lifetime

By default, an ID Token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, but remember that one of the purposes of this token is to improve performance by caching user information.

To learn how to change the ID Token expiration time, see Update ID Token Lifetime.

Next Steps