An ID token is a JWT containing claims about the user who just authenticated. It’s issued by OIDC providers (Google, Microsoft, Okta, etc.) alongside the access token, and it’s the canonical way to know who signed in.
What’s in it
Standard OIDC claims:
sub— the user’s unique subject identifier (stable, use this as the account key)iss— the issuer (the IdP’s URL)aud— the audience (your client ID)exp— expiration timestampiat— issued-at timestampemail,name,picture— profile claims (if requested via scope)
How it’s used
The client (your app) decodes the ID token, verifies the signature against the IdP’s JWKS, checks iss and aud, and extracts the user’s identity. That’s it.
Common mistake
Do not send the ID token to your API as a bearer token. That’s what the access token is for. The ID token is a proof-of-authentication for the client; the access token is a proof-of-authorization for the resource server. Different audiences, different purposes.
See the full auth glossary for related terms.