Access Token Claims
LoginRadius issues JWT access tokens conforming to RFC 9068 — JWT Profile for OAuth 2.0 Access Tokens. This page is a reference for every claim you will find in the decoded payload and how your resource server should validate them.
Use this as a companion to feature-specific docs such as Resource Indicators, Machine-to-Machine, and the OIDC Authorization Code Flow.
Example Payload
{
"iss": "https://your-app.hub.loginradius.com/service/oauth/MyApp",
"sub": "e2a19b161ba241559319dc4c47e5ef75",
"aud": ["api://payment_gateway"],
"scp": ["read:payment"],
"azp": "your-client-id",
"cid": "40c4bf81-8e8e-4a75-a495-613e69b842a4",
"amr": ["pwd"],
"sid": "6a046f38-af99-47f1-bcf9-bdf90b810212",
"iat": 1778675881,
"nbf": 1778675881,
"exp": 1778679481,
"jti": "ab9b169a-8826-4c8f-8f71-7bf48fd8c629"
}
Claim Reference
Identity & Audience
| Claim | Type | Description |
|---|---|---|
iss | string | Issuer URL of the LoginRadius authorization server for the app. Validate that this matches the issuer you expect for your tenant and app. |
sub | string | Subject — the user's unique LoginRadius UID. For Client Credentials tokens (no end user), this is the client subject. |
aud | string[] | Always a JSON array of one or more URIs the token is valid for. Set from the resource parameter on the request. Resource servers must verify their own URI is contained in this array. See Resource Indicators. |
scp | string[] | Granted scopes as a JSON array of strings (RFC 9068 form). May be narrower than what the client requested — see Scope Resolution. |
Client Context
| Claim | Type | Description |
|---|---|---|
azp | string | Authorized party — the client_id that the token was issued to. |
cid | string | LoginRadius internal client identifier. |
amr | string[] | Authentication Methods References — e.g., ["pwd"] for password, ["mfa"] when MFA was performed. |
sid | string | Session identifier tying the token to the user's authenticated session. Useful for backchannel logout correlation. |
Time & Identity Claims
| Claim | Type | Description |
|---|---|---|
iat | number | Issued At — Unix timestamp at which the token was created. |
nbf | number | Not Before — Unix timestamp before which the token must not be accepted. Typically equals iat. |
exp | number | Expiration — Unix timestamp after which the token must not be accepted. |
jti | string | Unique JWT identifier. Useful for one-time-use enforcement, replay protection, and revocation tracking. |
Validating a Token
A minimal validation routine at your resource server:
1. Verify the JWT signature against LoginRadius's JWKS
2. Verify `iss` matches the expected LoginRadius issuer for your tenant
3. Verify `exp` has not passed and `nbf` has (if present)
4. Verify `aud` array CONTAINS this resource server's URI
→ Reject with 401 if not present
5. Verify required scopes are present in the `scp` array claim
6. (Optional) Track `jti` against a replay cache for one-time-use semantics
Use a vetted JWT library — jose for Node.js, python-jose for Python, etc. Do not hand-roll signature verification.
Critical: Audience binding (
aud) provides no security if the resource server does not enforce it. LoginRadius issues the correct claim; your service must reject tokens whoseauddoes not include its own URI.