Token response
The token response will be a JSON object containing the following:
token_type (string)
The type of access token, which will always be Bearer
.
expires_in (number)
The number of seconds the access token will expire.
id_token (string)
A signed JWT that contains basic attributes about the user and it is signed using the RS256
algorithm. The public key used to verify this JWT is available from the certificates endpoint.
The id_token
contains the following claims:
iss (string)
The issuer of the response, which will be the URL of the Login.gov IdP, for example: https://idp.int.identitysandbox.gov
.
aud (string)
The audience, which will be the client_id
.
acr (string)
The Authentication Context Class Reference value of the returned claims, from the original authorization request.
at_hash (string)
The access token hash, a URL-safe base-64 encoding of the left 128 bits of the SHA256 of the access_token
value. Provided so the client can verify the access_token
value.
c_hash (string)
The code hash, a URL-safe base-64 encoding of the left 128 bits of the SHA256 of the authorization code
value. Provided so the client can verify the code
value.
exp (number)
The expiration time for this token, an integer timestamp representing the number of seconds since the Unix Epoch.
iat (number)
Time at which the JWT was issued, an integer timestamp representing the number of seconds since the Unix Epoch.
jti (number)
The JWT ID, a unique identifier for the token which can be used to prevent reuse of the token. Should be an unguessable, random string generated by the client.
nbf (number)
The “not before” value, an integer timestamp of when the token will start to be valid (number of seconds since the Unix Epoch).
nonce (string)
The nonce value provided by the client in the authorization request. A unique value, at least 22 characters in length, used to verify the integrity of the id_token
and mitigate replay attacks. This value should include per-session state and be unguessable by attackers. Read more about nonce implementation in the spec.
{ "access_token": "hhJES3wcgjI55jzjBvZpNQ", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiMmQyZDExNS0xZDdlLTQ1NzktYjlkNi1mOGU4NGY0ZjU2Y2EiLCJpc3MiOiJodHRwczovL2lkcC5pbnQubG9naW4uZ292IiwiYWNyIjoiaHR0cDovL2lkbWFuYWdlbWVudC5nb3YvbnMvYXNzdXJhbmNlL2xvYS8xIiwibm9uY2UiOiJhYWQwYWE"}