Allows adding custom data to the OIDC tokens
This step is used to add information that can be utilized by the relying party as part of the returned access or ID token. These pieces of information can be added as fully customizable key-value pairs, allowing you to gather relevant data about the SSO authentication process.
You can control where enriched claims appear in the token:
- Under a dedicated
custom_claimsobject (default), which reduces the risk of collisions with standard JWT claims and provides a stable structure for token consumers. - At the top level of the token payload, which is useful when migrating from another identity provider (for example, Okta or Auth0) or when downstream services expect claims like
tierorrisk_leveldirectly at the token root.
| Field | Description |
|---|---|
| Token Enrichment Values | Custom key values that will be used as custom claims in the OIDC access and ID tokens. |
| Placement | Where to insert enriched claims in the token payload: - custom_claims (default): insert claims under the custom_claims object.- root: insert claims at the top level of the token payload. |
Consider a scenario where you want downstream services to know the user's loyalty tier and risk level calculated during the SSO flow. By including these values as custom claims in the OIDC access and ID tokens, you can securely return additional information to the client application upon flow completion, providing context for authorization and business logic (for example, show premium perks for loyalty_tier: "gold" or require step-up actions when risk_level is high).
The following example uses placement: custom_claims and includes loyalty_tier: "gold" and risk_level: "low":
{
"sub": "123",
"iss": "https://userid.security",
"custom_claims": {
"loyalty_tier": "gold",
"risk_level": "low"
}
}When using placement: root, you must never overwrite reserved JWT claims such as iss, sub, aud, iat, and exp.