Skip to main content

Claims

ZITADEL asserts claims on different places according to the corresponding specifications or project and clients settings. Please check below the matrix for an overview where which scope is asserted.

ClaimsUserinfoIntrospectionID TokenAccess Token
acrNoNoYesNo
addressWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
amrNoNoYesNo
audNoNoYesWhen JWT
auth_timeNoNoYesNo
azpNoNoYesWhen JWT
emailWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
email_verifiedWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
expNoNoYesWhen JWT
family_nameWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
genderWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
given_nameWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
iatNoNoYesWhen JWT
issNoNoYesWhen JWT
localeWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
nameWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
nonceNoNoYesNo
phoneWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
phone_verifiedWhen requestedWhen requestedWhen requested amd response_type id_tokenNo
preferred_username (username when Introspect )When requestedWhen requestedYesNo
subYesYesYesWhen JWT
urn:zitadel:iam:org:domain:primary:{domainname}When requestedWhen requestedWhen requestedWhen JWT and requested
urn:zitadel:iam:org:project:roles:{rolename}When requestedWhen requestedWhen requested or configuredWhen JWT and requested or configured
urn:zitadel:iam:user:metadataWhen requestedWhen requestedWhen requestedWhen JWT and requested
urn:zitadel:iam:user:resourceowner:idWhen requestedWhen requestedWhen requestedWhen JWT and requested
urn:zitadel:iam:user:resourceowner:nameWhen requestedWhen requestedWhen requestedWhen JWT and requested
urn:zitadel:iam:user:resourceowner:primary_domainWhen requestedWhen requestedWhen requestedWhen JWT and requested

Standard Claims#

ClaimsExampleDescription
acrTBATBA
addressTeufener Strasse 19, 9000 St. GallenTBA
amrpwd mfaAuthentication Method References as defined in RFC8176
aud69234237810729019By default all client id's and the project id is included
auth_time1311280969Unix time of the authentication
azp69234237810729234Client id of the client who requested the token
email[email protected]Email Address of the subject
email_verifiedtrueBoolean if the email was verified by ZITADEL
exp1311281970Time the token expires as unix time
family_nameRunnerThe subjects family name
genderotherGender of the subject
given_nameRoadGiven name of the subject
iat1311280970Issued at time of the token as unix time
isshttps://issuer.zitadel.chIssuing domain of a token
localeenLanguage from the subject
nameRoad RunnerThe subjects full name
nonceblQtVEJHNTF0WHhFQmhqZ0RqeHJsdzdkd2d...The nonce provided by the client
phone+41 79 XXX XX XXPhone number provided by the user
preferred_username[email protected]ZITADEL's login name of the user. Consist of [email protected]
sub77776025198584418Subject ID of the user

Custom Claims#

This feature is not yet released

Reserved Claims#

ZITADEL reserves some claims to assert certain data.

ClaimsExampleDescription
urn:zitadel:iam:org:domain:primary:{domainname}{"urn:zitadel:iam:org:domain:primary": "acme.ch"}This claim represents the primary domain of the organization the user belongs to.
urn:zitadel:iam:org:project:roles:{rolename}{"urn:zitadel:iam:org:project:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] }When roles are asserted, ZITADEL does this by providing the id and primaryDomain below the role. This gives you the option to check in which organization a user has the role.
urn:zitadel:iam:roles:{rolename}TBATBA
urn:zitadel:iam:user:metadata{"urn:zitadel:iam:user:metadata": [ {"key": "VmFsdWU=" } ] }The metadata claim will include all metadata of a user. The values are base64 encoded.
urn:zitadel:iam:user:resourceowner:id{"urn:zitadel:iam:user:resourceowner:id": "orgid"}This claim represents the id of the resource owner organisation of the user.
urn:zitadel:iam:user:resourceowner:name{"urn:zitadel:iam:user:resourceowner:name": "ACME"}This claim represents the name of the resource owner organisation of the user.
urn:zitadel:iam:user:resourceowner:primary_domain{"urn:zitadel:iam:user:resourceowner:primary_domain": "acme.ch"}This claim represents the primary domain of the resource owner organisation of the user.