--- title: Token claims description: All tokens in PingOne are JSON Web Tokens (JWTs) signed using the RS256 signing algorithm, except for refresh tokens which can be opaque. The following section lists the supported claims for each token type. component: pingone-api page_id: pingone-api:foundations:authentication-concepts/access-tokens-and-id-tokens/token-claims canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/access-tokens-and-id-tokens/token-claims.html section_ids: access-token-claims: Access token claims id-token-claims: ID Token claims refresh-tokens: Refresh tokens --- # Token claims All tokens in PingOne are JSON Web Tokens (JWTs) signed using the RS256 signing algorithm, except for refresh tokens which can be opaque. The following section lists the supported claims for each token type. ## Access token claims For access tokens, the JWT header must contain the ID of the signing key as the `kid` claim, and can optionally include the `x5t` claim and the `typ` claim with a value of `at+jwt`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | On March 2, 2027, the `includeTyp` property will be removed, and PingOne will always include the `typ` header claim with a value of `at+jwt` when minting access tokens, regardless of whether the intended audience is the UserInfo endpoint, PingOne APIs, or custom resources. To avoid service disruptions, set the `includeTyp` property to `true` for each of your applications before this date. To resolve any issues, verify that each remains functional and work with the application team, the custom resource team, or both. Learn more in the [Applications OIDC settings data model](../../../platform/applications/applications-1.html#applications-oidc-settings-data-model). | | Claim | Description | | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `auth_time` | A string that specifies the time when the user authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the current date and time. This claim is not present for `client_credentials` tokens. | | `acr` | A string that identifies the authentication policy that was completed when the original authentication was performed. If the authentication policy is a sign-on policy, then this string will be the name of the sign-on policy. If the authentication policy is a flow policy, then this string will be the ID of the flow policy. This claim is not present for `client_credentials` tokens. | | `sub` | A string that specifies the identifier for the authenticated user. This claim is not present for `client_credentials` tokens. | | `client_id` | A string that specifies the application that requested this token. | | `aud` | A string that lists the names of resources that this token is intended for. The resource of an application's resource access grant is included if one or more scopes from the grant is requested and granted. | | `scope` | A string that specifies the space-separated list of scope names associated with this token in the format described in [Section 3.3 of OAuth 2.0 RFC6749](https://tools.ietf.org/html/rfc6749#section-3.3). | | `iss` | A string that specifies the per-environment issue URI: For example, `https://auth.pingone.com//as`. | | `iat` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `exp` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `sid` | A string that specifies the identifier for the user session. This claim is not present for `client_credentials` tokens. | | `jti` | A string that specifies the JWT identifier. | | `env` | A string that specifies the environment ID of the authenticated user or application. This claim is not present when the resource's `audience` property does not include the PingOne platform API resource. | | `org` | A string that specifies the organization ID of the authenticated user or application. This claim is not present when resource's `audience` property does not include the PingOne platform API resource. | | `x5t` | A string that specifies the base64url-encoded SHA-1 thumbprint of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS. | Access token sample for an authorization request (JWT) with `response_type=code token id_token` (and `offline_access` not added to the app): ```json { "kid": "4bb6d480-8ce4-11ef-bb5f-6d67555e3c65", "typ": "at+jwt", "alg": "RS256" }.{ "client_id": "6ab85b77-ff75-42af-9fe9-cb7f83a2ede4", "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as", "jti": "ef62d8f0-e84b-4579-9b08-5734c5ae496b", "iat": 1738356020, "exp": 1738361420, "aud": [ "https://iam-x.com" ], "scope": "openid x1", "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "sid": "44d69428-b3ad-442f-8101-5c136bd67d8f", "auth_time": 1738356019, "acr": "Single_Factor", "env": "6991589d-87eb-47f4-9131-284cebe106b3", "org": "d4229c38-0f5e-4bf7-9292-9d3b0df7294c" }.[Signature] ``` ## ID Token claims ID tokens are signed with the same key as the access token. The JWT header must contain the ID of the signing key as the `kid` claim and can optionally include the `x5t` claim. | Claim | Description | | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sub` | A string that specifies the identifier for the authenticated user. | | `aud` | A string that lists the names of resources that this token is intended for. The resource of an application's resource access grant is included if one or more scopes from the grant is requested and granted. | | `iss` | A string that specifies the per-environment issuer URI: `https://auth.pingone.com//as` or `https:///as`. | | `iat` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `exp` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `sid` | A string that specifies the identifier for the user session. | | `auth_time` | A string that specifies the time when the user authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the current date and time. | | `nonce` | A string that specifies the value used to associate a client session with an `id_token`, and to mitigate replay attacks. The value is passed through unmodified from the authentication request to the ID token. | | `at_hash` | A case-sensitive string that specifies the access token hash value, which is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access token value. For more information, refer to [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken). | | `c_hash` | A case-sensitive string that specifies the code hash value, which is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value. For more information, refer to [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). | | `acr` | A string that specifies the name of the sign-on policy that was completed when the original authentication was performed. This claim is present only if an ID token was minted. | | `amr` | A string array that specifies the methods associated with the authenticators used when the original authentication was performed. This claim is present only if an ID token was minted. | | `p1.userId` | The PingOne user identifier. | | `p1.region` | The PingOne geographic domain. | | `p1.mfa_device_id` | ID of the device that was used to authenticate. | | `x5t` | A string that specifies the base64url-encoded SHA-1 thumbprint of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS. | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Standard OpenID Connect scopes can be specified in an authorization request to control which user claims are included in an `id_token` or in a `userinfo` response. For more information about OIDC scopes and their associated user claims, refer to [OpenID Connect (OIDC) scopes](../../pingone-roles-scopes-and-permissions/access-services-through-scopes-and-roles/openid-connect-oidc-scopes.html). | ID token sample for an authorization request (JWT) with `response_type=code token id_token` (and `offline_access` not added to the app): ```json { "kid": "4bb6d480-8ce4-11ef-bb5f-6d67555e3c65", "alg": "RS256" }.{ "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as", "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "aud": "6ab85b77-ff75-42af-9fe9-cb7f83a2ede4", "iat": 1738356020, "exp": 1738356320, "acr": "Single_Factor", "amr": [ "pwd" ], "auth_time": 1738356019, "at_hash": "4nTgewkCcK9EPa5P2y5EaA", "nonce": "abc", "sid": "44d69428-b3ad-442f-8101-5c136bd67d8f", "c_hash": "sZ8YIIB90mDqqO4-8wOvhg", "p1.userId": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "env": "6991589d-87eb-47f4-9131-284cebe106b3", "org": "d4229c38-0f5e-4bf7-9292-9d3b0df7294c", "p1.region": "NA" }.[Signature] ``` ## Refresh tokens Refresh tokens are opaque tokens, or JWTs signed with the same key as the access token. They are not intended to be read by the client. Learn more about refresh token usage in [POST Token (refresh\_token) (CLIENT\_SECRET\_BASIC)](../../../auth/openid-connect-oauth-2/token-refresh_token-client-secret-basic.html). Currently, you can choose for PingOne to issue either JWTs or opaque refresh tokens for OIDC-based applications. The `refreshTokenType` property of an OIDC application determines the format. Learn more in the [Applications OIDC settings data model](../../../platform/applications/applications-1.html#applications-oidc-settings-data-model). As part of our ongoing commitment to security, after March 1, 2027, PingOne will issue only opaque refresh tokens, and JWTs will be deprecated. Opaque refresh tokens only include a unique string and don't require a digital signature, making them smaller, faster, and more private than JWTs. By March 1, 2027, you must update existing applications to use opaque refresh tokens to avoid your users being unable to access resources they need. PingOne will return an error for any applications that aren't updated to use opaque refresh tokens by this date. The following table shows the timeline for migrating to opaque tokens as the default: | Refresh token type | Before Jan. 27, 2026 | Between Jan. 27, 2026 and March 1, 2027 | After March 1, 2027 | | ------------------ | -------------------- | --------------------------------------- | ------------------- | | **Opaque Token** | Selectable | Default | Only option | | **JSON Web Token** | Default | Selectable | Deprecated | ***For OIDC applications created before January 27, 2026:*** * If `grant_types` is set to `refresh_token`, `refreshTokenType` defaults to `JSON_WEB_TOKEN`. * You can change `refreshTokenType` to `OPAQUE_TOKEN`. ***For OIDC applications created between January 27, 2026 and March 1, 2027:*** * `refreshTokenType` defaults to `OPAQUE_TOKEN`. * You can change `refreshTokenType` to `JSON_WEB_TOKEN`. ***After March 1, 2027:*** * PingOne will issue only opaque refresh tokens, and JWTs will be deprecated. * `refreshTokenType` will be removed as an option for OIDC-based applications. * For applications that aren't updated to use opaque refresh tokens, PingOne will return an error if it receives a JWT-based refresh token. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For application configuration properties that specify the refresh token duration, rolling duration, and rolling duration grace period, refer to the [Applications OIDC settings data model](../../../platform/applications/application-management.html#applications-oidc-settings-data-model). To configure your application to enable refresh token rotation (prevent reuse of refresh tokens), refer to the `additionalRefreshTokenReplayProtectionEnabled` property in the [Applications OIDC settings data model](../../../platform/applications/application-management.html#applications-oidc-settings-data-model). For additional information about refresh token rotation, refer to [Refresh token rotation](https://docs.pingidentity.com/pingone/applications/p1_refresh_token_rotation.html) in the PingOne admin guide. | | Claim | Description | | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sub` | A string that specifies the identifier for the authenticated user. | | `aud` | A string that lists the names of resources that this token is intended for. The resource of an application's resource access grant is included if one or more scopes from the grant is requested and granted. | | `iss` | A string that specifies the per-environment issuer URI: `https://auth.pingone.com//as` or `https:///as`. | | `iat` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `exp` | An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire, as defined in [JWT RFC7519](https://tools.ietf.org/html/rfc7519). | | `sid` | A string that specifies the identifier for the user session. | | `scope` | A string that specifies the space-separated list of scope names associated with this token in the format described in [Section 3.3 of OAuth 2.0 RFC6749](https://tools.ietf.org/html/rfc6749#section-3.3). | | `jti` | A string that specifies the JWT identifier. | | `auth_time` | A string that specifies the time when the user authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the current date and time. | | `acr` | A string that specifies the name of the sign-on policy that was completed when the original authentication was performed. This claim is present only if an ID token was minted. | | `amr` | A string array that specifies the methods associated with the authenticators used when the original authentication was performed. This claim is present only if an ID token was minted. | Refresh token sample from the token request when the authorization request has `response_type=code token id_token` (and `offline_access` not added to the app): ```json { "alg": "RS256", "kid": "default" }.{ "sub": "1fc88a5e-a677-4df7-81ae-75df4f7839d2", "jti": "8b819739-1e66-4a10-ba11-998b50ce35c0", "exp": 1738361432, "sid": "44d69428-b3ad-442f-8101-5c136bd67d8f", "scope": "openid x1", "auth_time": 1738356019, "acr": "Single_Factor", "amr": [ "pwd" ], "iss": "https://auth.pingone.com/6991589d-87eb-47f4-9131-284cebe106b3/as" }.[Signature] ```