Is the ID_TOKEN issued as part of the login process guaranteed to be in JWT format?

Is the ID token returned as part of the login process irrespective of the provider (auth0/Google/Facebook etc) and connection type (Social, Enterprise…) guaranteed to be in JWT format? I want to accept the ID token as part of a server API and so I need to get the ID in JWT format so that I can decode it and get the USER ID (for eg).

Yes, ID Tokens are always JWTs.
Don’t confuse them with access tokens, which may or may not be JWTs.

When calling an API, the access token grants access, and the ID token is not required, but if passed can pass info about the use. It may be better to store that info in the access token.


1 Like

Thanks John. In which scenario is Access token not in JWT format?

You’ll get an opaque token (useful only for calling /userinfo) if you leave out the audience parameter (or set audience to your tenant name):

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.