Get ID Tokens

To get an ID token, you need to request them when authenticating users. Auth0 makes it easy for your app to authenticate users using:

• Quickstarts: The easiest way to implement authentication, which can show you how to use Universal Login, the Lock widget, and Auth0's language and framework-specific SDKs. Our Lock documentation and Auth0.js documentation provide specifics about retrieving an ID token after authentication.

• Authentication API: If you prefer to roll your own, you can call our API directly. First, you need to know which flow to use before following the appropriate flow tutorial.

You control which claims about the authenticated user are included in the ID token consumed by your application by including specific OpenID Connect Scopes in the scope parameter when you request tokens while authenticating users.

You can also create custom claims, which are claims that you define, control, and add to a token using a rule. As with other JWTs, you should validate an ID token before assuming that its contents can be trusted.

By default, an ID token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, but remember that one of the purposes of this token is to improve performance by caching user information.

After an ID token has expired, you may want to renew your ID token. To renew the ID token, you can either re-authenticate the user using Auth0, or use a refresh token.

• Validate ID Tokens
• JSON Web Tokens
• JSON Web Token Claims
• Token Best Practices