User access tokens

A user access token is returned upon each successful user authentication, and describes the access that was granted to the user. Access tokens are obtained by calling the /oidc/token endpoint. These tokens are also used to authorize Mosaic API requests that require the context of a logged-in user, such as Verification APIs. This describes the structure and semantics of the user access tokens returned by Mosaic.

Claims

The access token is a JWT (Json Web Token) signed by Mosaic, which includes the following claims:

Claim Description Type
sub Subject of the JWT (user_id). String
iss Issuer of the token, which should match the issuer returned from the /oidc/jwks endpoint.
iat Time the token was issued. Number
exp Expiration time, in epoch time format. The token must NOT be accepted on or after this time. Number
aud Audience, which is the intended recipient of the token. If a specific resource is requested, this contains the resource URI. Default is userid-api. String
scope Requested scopes, as a space delimited string String
roles Roles of the user, used to determine their permissions. Array
tid Identifer of the tenant the user requested to access. String
client_id Identifer of the client the user requested to access. String
app_name Friendly name of the application the user requested to access. String
app_id Identifer of the application the user requested to access. String
act Returned only in delegated access flows. Contains identifer of user to whom access was delegated in the sub subclaim. Object
permissions Returned only in delegated access flows. Contains a list of delegated permissions. Array

Token example

Here's an example of a decoded user access token:

Copy
Copied
{
  "tid": "",
  "app_name": "Acme",
  "app_id": "8flFllgrd1Wqiru4IGai0",
  "roles": [
    "smP3MD65l7hKXG6qJ-S5d"
  ],
  "jti": "IJMTqbmijVG7_LsJz-y5U",
  "sub": "bb8dc75.8AEM5PpWyJBH6opzIOrJ2.transmit",
  "iat": 1658056533,
  "exp": 1658060133,
  "scope": "offline_access",
  "client_id": "bb8dc75.8AEM5PpWyJBH6opzIOrJ2.transmit",
  "iss": "https://userid.security",
  "aud": "userid-api"
}