Claims.
The pieces of information about an authenticated user that an identity token carries — sub, email, name, roles, custom organizational attributes — each a named assertion the IdP makes about the user.
The recurring claim-handling bug: putting too much in the ID Token. Every header sent to the backend that carries the token pays for the size. Standard claims at session creation, fetch richer profile data from the userinfo endpoint when needed. Custom claim namespacing — full URIs prevent collisions between providers and your own additions.
Common questions
What are standard OIDC claims?
Where should I put custom claims — in the ID token or fetched from userinfo?
Should I trust every claim in a signed token?
Related terms
In the guides
JWT Explained: JSON Web Tokens, JWT Authentication, and the Pitfalls
JWT (JSON Web Token) is the dominant signed-token format for authentication and API authorization. How JWT tokens are structured, how JWT authentication works in OAuth 2.0 / OIDC, which algorithms to pin, and the recurring vulnerability classes that keep biting implementers.
OpenID Connect (OIDC) Explained: The Modern Identity Layer on OAuth 2.0
OIDC adds authentication and identity claims to OAuth 2.0. How discovery, ID tokens, and the standard scopes work, plus the pitfalls that bite implementers in production.