Access tokens are a secure way of authenticating users, and passing information about a user to to a system.
- Token Type - indicates the type of access token being used. For example,
Beareris a common token type used in OAuth 2.0. - Expiration Time -
exp- Access tokens come with an expiration time (also known as expiry or lifetime) after which it is no longer valid. The timestamp is usually represented in seconds and can be calculated using the Epoch timestamp (UNIX) or other methods. More about setting token expiry in Kinde. - Scopes -
scp- information about the scopes granted to the token holder. These scopes define what actions or resources the token can access. There can be multiple scope values, so the type of this claim is anarray. - Issuer - the entity that issued the access token. This is often represented as the token’s
issclaim in JWT. Typically your kinde domain e.g.https://<your_subdomain>.kinde.com - Subject - subject of the token, i.e., the user or entity for which the token was issued. Represented as the token’s
subclaim in JWT. If this an access token for a Kinde user this will be their ID e.g.kp_xxxx - Audience - intended recipient of the access token. Represented as the token’s
audclaim in JWT. There can be multiple audience values, so the type of this claim is anarray. - Issued At - timestamp of when the access token was issued. Represented as the token’s
iatclaim in JWT. The timestamp is usually represented in seconds and can be calculated using the Epoch timestamp (UNIX) or other methods. - Token ID -
jti- identifier for the access token, useful for tracking and validation purposes. See this definition. - Custom Claims - Not currently supported, but coming soon. See our product roadmap.
-
Organization -
org_codeclaim for the organization they are accessing. Format isorg_xxxx. -
Feature flags -
feature_flagsclaim. Access controls for what features the user can see and access. Format is:"feature_flags": { "analytics": { "t": "b", "v": true }, "theme": { "t": "s", "v": "pink" } }We use short codes for the various keys in the feature flags claim such as
tandvto keep the token size down.t=typev=valueb=booleani=integers=strong -
Permissions -
permissionsclaim controls for what the user can do in an app. This is an array. For example:"permissions": [ "create:competitions", "delete:competitions", "view:stats", "invite:users", "view:profile" ] -
External provided ID -
provided_idthe user ID from an external system. Commonly provided to Kinde as part of a user import. -
(Azure AD authentication only) Claims starting with
ext_indicate that user details have come from a third party enterprise auth provider like Azure AD. For example:"ext_groups": [ "group1", "group2" ], "ext_attributes": { "jobTitle": "engineer", "mail": "engineer@kinde.com", "preferredLanguage": "en", }
{
"aud": [
"myapp:prod-api"
],
"azp": "dee7f3c57b3c47e8b96edde2c7ecab7d",
"exp": 1693371599,
"feature_flags": {
"analytics": {
"t": "b",
"v": true
},
"theme": {
"t": "s",
"v": "pink"
}
},
"iat": 1693285199,
"iss": "https://<your_subdomain>.kinde.com",
"jti": "fbb6bc62-x64e-4256-8ea4-8fb9a645b123",
"org_code": "org_xxxxxxxxx",
"permissions": [
"create:competitions",
"delete:competitions",
"view:stats",
"invite:users",
"view:profile"
],
"scp": [
"openid",
"profile",
"email",
"offline"
],
"sub": "kp:_xxxxxxxxx" // your user id
}
When you use the refresh_token grant to refresh an access token, Kinde will return an existing access token if that existing access token is not expired. You will get a completely new access token if one (or more) of the following conditions are met:
- You revoke your existing access token
- Your user has signed out of their session, and your application has called the logout function in Kinde
- Your existing access token has expired.