Skip to content

Latest commit

 

History

History
83 lines (74 loc) · 5.18 KB

_access-token-claims.mdx

File metadata and controls

83 lines (74 loc) · 5.18 KB

import APIBlock from 'src/components/api/APIBlock.astro'; import APIField from 'src/components/api/APIField.astro'; import AuthenticationTypeValues from 'src/content/docs/_shared/authentication-type-values.astro'; import InlineField from 'src/components/InlineField.astro'; import RemovedSince from 'src/components/api/RemovedSince.astro';

The unique Id of the Application for which the User has been authenticated. A JWT can only represent authorization to a single Application. 
This claim is only present if the User has a registration to the Application.

To obtain a JWT for another Application you must either authenticate again with a different `applicationId` using the [Authentication](/docs/apis/login#authenticate-a-user) API or utilize the [Issue a JWT](/docs/apis/jwt#issue-a-jwt) API to exchange a valid JWT for another.
The audience the JWT is intended for. This registered claim is defined by [RFC 7519 Section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3). 
This claim will be equal to the `client_id`.
The method used to authenticate the User which resulted in this JWT being generated. The possible values are: 
<AuthenticationTypeValues />
The time of the initial authentication request, expressed as UNIX time which is the number of seconds since Epoch. This claim will remain the same even when the token has been re-issued through the use of a Refresh Token. The email address of the User whose claims are represented by this JWT. 
<RemovedSince since="1.50.0">
In version `1.50.0` and later this claim is not returned when the <InlineField>oauthConfiguration.scopeHandlingPolicy</InlineField> value of the Application is `Strict`.
</RemovedSince>
The OpenId Connect claim indicating if the User's email has been verified. 
<RemovedSince since="1.50.0">
In version `1.50.0` and later this claim is not returned when the <InlineField>oauthConfiguration.scopeHandlingPolicy</InlineField> value of the Application is `Strict`.
</RemovedSince>
The expiration instant of the JWT, expressed as UNIX time which is the number of seconds since Epoch. This registered claim is defined by [RFC 7519 Section 4.1.4](https://tools.ietf.org/html/rfc7519#section-4.1.4). The instant that the JWT was issued, expressed as UNIX time which is the number of seconds since Epoch. This registered claim is defined by [RFC 7519 Section 4.1.6](https://tools.ietf.org/html/rfc7519#section-4.1.6). The unique identifier for this JWT. This registered claim is defined by [RFC 7519 Section 4.1.7](https://tools.ietf.org/html/rfc7519#section-4.1.7). The issuer of the JWT. For FusionAuth, this is always the value defined in the tenant JWT configuration. This registered claim is defined by [RFC 7519 Section 4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1). The username of the User whose claims are represented by this JWT. 
<RemovedSince since="1.50.0">
In version `1.50.0` and later this claim is not returned when the <InlineField>oauthConfiguration.scopeHandlingPolicy</InlineField> value of the Application is `Strict`.
</RemovedSince>
The roles assigned to the User in the authenticated Application. This claim is only present if the User has a registration to the Application. The scope of the Access token. This meaning of this field is specified by [RFC 6749 Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). 
Contains the validated and consented OAuth scopes from the initial authentication request. See [Scopes](/docs/lifecycle/authenticate-users/oauth/scopes) for more detail on scope consent.
The unique Id of the refresh token returned along with this access token when the `offline_access` scope was requested. This unique Id is the persistent identifier for this refresh token, and will not change even when using one-time use refresh tokens. This value may optionally be used to revoke the token using the [Refresh Token API](/docs/apis/jwt#revoke-refresh-tokens). The subject of the access token. This value is equal to the User's unique Id in FusionAuth. This registered claim is defined by [RFC 7519 Section 4.1.2](https://tools.ietf.org/html/rfc7519#section-4.1.2). The FusionAuth Tenant unique Id.