Associating access token to customer account

What is the typical best practice for associating a user with a customer account. For example, when the user logs in, they get back the access token. Within that access token, it will have scopes such as crud:calendar. While i trust that this user has permission to now perform CRUD operations on the calendar, I only want to allow them to perform CRUD operations on the calendar that is associated to their account.

What would be the general best practice for doing this? I could add customer account id to the scope…But I want to get what the general best practice would be.

For an access token issued as part of an end-user authentication flow the sub claim contained by default will have the user identifier of the relevant user so you can use that information to track user-specific resources.

The value on the sub maps to the user_id within the user profile so the reference docs for user identifier also apply to this scenario (

Thanks @jmangelo. I understand the value of sub matches the user ID. I would also like to include the account id that the user is part of. I assume that the place to put this would be in app_metadata?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.