ID Token.
An OIDC credential, always a signed JWT, that conveys identity claims about the authenticated user from the authorization server to the client.
Common mistake: using ID tokens to authorize API calls. The ID token is for identity, not authorization, its audience is the client, not the resource server. APIs validate access tokens, not ID tokens. Mixing the two is a classic OIDC misconfiguration.
Common questions
What's the difference between an ID token and an access token?
Should I use ID tokens for API auth?
What claims does an ID token carry?
Related terms
In the guides
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.
Session Management: JWTs vs Opaque Tokens, and How to Pick
JWT-based and opaque-token sessions trade off scale against revocability, the 2026 default is hybrid. Patterns, revocation, and where each is the right answer.