Should your JWT be your user ID?

I’ve currently set up lock to sign up/log in with a user, then I’ll return the result, which contains the authtoken and the idtoken. As I understand, the authtoken is used for further API calls (?), whereas the idtoken is used to identify the user.

What I’m not exactly sure is whether you should use the JWT to create a new user. We’re using a custom API call to create a user but I’m not sure if we should use the idtoken for the id? I guess the JWT changes all the time a new auth happens, so the idtoken should be used in which cases? Only to verify whether the token is still valid? Or should the authtoken be used for that?

Sorry, I’m new to authentication and passing tokens, etc.

…which contains the authtoken and the idtoken…

I assume you mean the access_token and id_token?

You are correct in that the access_token should be used to make authenticated calls to your API. The access_token contains a sub claim, that will contain the user identifier of the user for which the application was granted an access_token. In your API, after you have validated the access_token, you can use the sub claim as the user_id in your backend.

The id_token is generally used in the client for which it was granted, to customize the UI as required, e.g. Hide login buttons for authenticated users, display username, etc.

I suggest reading through the following documentation that outline Access tokens and ID Tokens:

Thanks, I’ve looked at the docs and also looked at the id_token document, it seems there is a sub claim but also a user_id, which seem to be the same for at least Google Auth, is there a difference between those two? I guess the sub is rather a split version of the user_id.

Thanks, I’ve looked at the docs and also looked at the id_token document, it seems there is a sub claim but also a user_id, which seem to be the same for at least Google Auth, is there a difference between those two? I guess the sub is rather a split version of the user_id.