ID Token (Identity Token)
A JWT (JSON Web Token) in OpenID Connect that contains authenticated user's identity claims.
What is ID Token (Identity Token)?
An ID Token (Identity Token) is a JWT (JSON Web Token) defined in the OpenID Connect (OIDC) specification that contains claims about the authenticated user's identity. When a user authenticates via OIDC, the Identity Provider (IdP) issues an ID Token (signed JWT) containing standard claims: sub (user ID), iss (issuer), aud (audience), exp (expiration), and often custom claims (email, name, picture). The ID Token is sent to the client application (RP - Relying Party) to prove the user's identity.
Analogy
Think of an ID Token like a digital ID card. Just as your physical ID card shows your photo, name, and ID number (claims), the ID Token contains your user ID (sub), issuer (iss), and other identity information. It's cryptographically signed so no one can tamper with it.
Types and Use Cases
ID Token Standard Claims:
- sub: Subject (user ID) - uniquely identifies the user
- iss: Issuer - URL of the OIDC provider (e.g., https://loginradius.com)
- aud: Audience - client_id of the application
- exp: Expiration time (Unix timestamp)
- iat: Issued at time
Common Use Cases:
- OIDC Authentication: Prove user identity to client application
- Single Sign-On (SSO): Federate identity across multiple apps
- Profile Information: Get user's name, email, picture from ID Token"
- API Gateway: Validate ID Token at API gateway (stateless auth)"
How it Works
// ID Token (JWT) - Decoded for readability
{
"header": {
"alg": "RS256",
"typ": "JWT"
},
"payload": {
"sub": "user_12345",
"iss": "https://loginradius.com",
"aud": "client_id_67890",
"exp": 1709631000,
"iat": 1709630800,
"email": "user@example.com",
"name": "John Doe",
"picture": "https://example.com/photo.jpg"
},
"signature": "RS256_signature_here"
}ID Token (Identity Token) vs Access Token
ID Token (Identity Token)
Access Token
ID Token contains identity claims (who you are), Access Token is for authorization (what you can do)
ID Token is for client application (proves identity), Access Token is for resource server (access API)
ID Token is not sent to APIs, Access Token is sent to APIs for authorization
Best Practices for ID Token (Identity Token)
- Validate Signature: Always validate ID Token signature (using IdP's public key) before trusting claims"
- Check Standard Claims: Verify
iss,aud,expbefore accepting ID Token" - Don't Send to APIs: ID Token is for client app only; use Access Token for API calls"
How LoginRadius Powers ID Token (Identity Token)
LoginRadius CIAM platform issues OpenID Connect-compliant ID Tokens (signed JWTs) with RS256 algorithm. Our platform provides JWKS endpoint for signature validation, standard claims (sub, iss, aud, exp, iat), custom claims (email, name, picture, roles), and comprehensive OIDC flows (Authorization Code, Implicit, Hybrid). LoginRadius also provides validation libraries and sample code for all major platforms.
Resources
FAQs
ID Token contains identity claims (sub, email, name) for the client application (proves 'who you are'). Access Token is for authorization (bearer token for API calls - 'what you can do'). ID Token is validated by client app; Access Token is validated by resource server (API). OIDC flows return both tokens.
Validate ID Token: (1) Check Signature - use IdP's public key (JWKS endpoint), (2) Verify Claims - iss (issuer), aud (client_id), exp (not expired), (3) Check Nonce - prevent replay attacks. LoginRadius provides JWKS endpoint and validation libraries for all major platforms (Node.js, Java, .NET, Python).
LoginRadius issues signed ID Tokens (RS256 algorithm) for all OpenID Connect flows (Authorization Code, Implicit, Hybrid). Our platform provides JWKS endpoint for signature validation, standard OIDC claims (sub, iss, aud, exp), and custom claims (email, name, roles). LoginRadius ID Tokens are compliant with OIDC specification and can be validated using standard libraries.