What is an OpenID Connect claim?

A claim is a single piece of information asserted about the authenticated user or the token itself, such as sub (the user identifier), email or name. Claims are delivered as JSON members inside the ID token and from the UserInfo endpoint.

Which claim should I use as the user's unique key?

Always use sub (subject). It is locally unique to the issuer and never reassigned. Do not key off email or preferred_username — those can change or be reused, which leads to account-takeover bugs.

What does email_verified mean?

It is a boolean asserting that the provider verified the user controls that email address at some point. Treat a missing or false value as unverified, and never grant trust based on the email alone without checking this flag.

Should I read claims from the ID token or UserInfo?

The ID token carries authentication claims (iss, sub, aud, exp, nonce) and may include profile claims. The UserInfo endpoint returns the same profile claims fresh on request. Use the ID token for the session, and call UserInfo when you need current profile data not present in the token.

OpenID Connect Claims Reference

Q: How do scopes relate to claims?

Scopes group claims for consent. Requesting the profile scope releases name, given_name, picture and similar; email releases email and email_verified; phone releases phone_number and its verified flag; and address releases the structured address object. The openid scope is mandatory and yields sub.

Read OpenID Connect claims correctly

OpenID Connect layers identity on top of OAuth 2.0 by returning claims about the authenticated user. Some claims are protocol metadata in the ID token (iss, sub, aud, exp, nonce); others describe the person and are released by scope (profile, email, phone, address). This tool lists the standard claims with their JSON data type, the scope that unlocks them, and where they appear — the ID token, the UserInfo endpoint, or both.

How it works

When a client requests scopes during login, the authorization server releases the matching claims after the user consents. The mandatory openid scope yields sub, the stable user identifier. The profile scope releases display claims such as name, given_name, picture, locale and updated_at; email releases email and email_verified; phone releases phone_number and its verified flag; and address releases a structured address JSON object. Protocol claims in the ID token let the client validate the token: iss and aud must match the expected issuer and client, exp bounds its lifetime, and nonce ties it back to the original request to prevent replay. The same profile claims can be fetched fresh from the /userinfo endpoint using the access token.

Tips and notes

Key your accounts on sub, never on email or preferred_username, both of which can change or be reused. Check email_verified before trusting an address, and remember address is a nested JSON object — read its formatted, country and postal_code sub-fields rather than expecting a plain string. Request only the scopes you genuinely need so the consent screen stays minimal and you collect less personal data. Finally, always validate the ID token’s signature, iss, aud, exp and nonce before trusting any claim inside it.

OpenID Connect Claims Reference

Email me this result

Read OpenID Connect claims correctly

How it works

Tips and notes