Skip to main content

JSON Web Token

We use JSON Web Tokens (JWT) throughout the system. The JWT contains basic user information and is signed either with the RS256 private key (external communication with the user) or the HS256 shared secret (internal communication with the customer backend).

A decoded example JWT:

"name": "Your User",
"email": "your.user@domain.tlg",
"aud": "",
"iss": "",
"nbf": 1661431682,
"exp": 1661431747,
"sub": "5bb37172-389d-483c-a488-8b87b16e1c31",
"q:idp": "google",
"q:idp-sub": "108323935178764345590",
"q:udb": "3cd6ffba-6ab1-4d96-b124-6cab88c602ed"

JSON Web Token Claims

The JWT contains the following claims:

  • name: The name of the user.
  • email: The email of the user if known.
  • aud: The audience of the JWT.
  • iss: The issuer of the JWT.
  • nbf: The not-before-time of the JWT (Unix Epoch, i.e. seconds since 1970-01-01).
  • exp: The expiration time of the JWT (Unix Epoch, i.e. seconds since 1970-01-01).
  • sub: The subject of the JWT. This is the identifier of the user.
  • q:idp: The identity provider of the user.
  • q:idp-sub: The subject of the identity provider of the user.
  • q:udb: The user database id.
Stable IDs

If your backend stores additional data for the user, always use the user identifier stored in the sub claim.

Logout URL

We recommend to construct the logout URL from the iss claim (i.e. <iss-claim>/logout) to be compatible with DevAuth.

JSON Web Token Signature

The token that is sent to the backend is signed with the HS256 algorithm, and the secret found on the Dashboard in the Qloud Console.