An ID token, which contains user profile attributes, is consumed by an app and is typically used for user interface display. Auth0 issues all in JSON web token (JWT) format. If any of these checks fail, the token is considered invalid, and the request must be rejected.
  1. Validate the JWT.
  2. Check additional standard claims. If you’ve performed the standard JWT validation, you have already decoded the JWT’s Payload and looked at its standard claims. Additional claims to verify for ID tokens include:
    • Token audience (aud, string): The audience value for the token must match the client ID of the application as defined in your Application’s Settings in the Client ID field.
    • Nonce (nonce, string): Passing a nonce in the token request is recommended (required for the Implicit Flow) to help prevent replay attacks. The nonce value in the token must exactly match the original nonce sent in the request. See Mitigate Replay Attacks for details.

Learn more