Skip to content

JWT definitions

JWT claim details

Below are JTW claims and their expected values and locations. See also examples of response user access, user ID, and application access examples below.

Claim NameDescriptionExpected ValueLocation
account_idAccount ID of the user in IAMaccount uuidaccess token
ID token
amrAuthentication Methods ReferencesAn array of strings giving information about how the user is authenticated
Examples:
password
mfa - appears when MFA is used
sms_mfa - appears when MFA using SMS was used
software_token_mfa- appears when MFA using TOTP was used
federated - appears when the user was federated
trimble_okta
client_credentials
access token
ID token
application_nameName of the applicationstringaccess token
(client credentials grant only)
at_hashHash of the accompanying access tokenstringID token
audAudience
an array of relying parties (client ID tokens)
For access tokens: an array of unique IDs for applications/APIs intended to consume this token
For ID token tokens: this is a single string ID in the application that made the authentication request
access token
ID token
auth_timeThe time when the authentication occurredinteger, (Seconds since midnight Jan 1, 1970)access token
ID token
azpAuthorizing Party. Relying party’s client ID tokenstringaccess token
ID token
data_regionGeographic region that user data is stored inus/euaccess token
ID token
emailEmail address of the userstringID token
email_verifiedWhether the user’s email is verified or notboolean, true or falseID token
expTime on or after which the JWT MUST NOT be accepted for processinginteger, (Seconds since midnight Jan 1, 1970)access token
ID token
family_nameFamily name or surname of the userstringID token
federation_originThe federated system the user is signed in tostring
e.g., trimble_okta
ID token
given_nameFirstname or full name of this userstringID token
iatIssued At Time. The time the token was issuedinteger, (Seconds sing midnight Jan 1, 1970)access token
ID token
Identity_typeLogged user typeuser or applicationaccess token
ID token
issThe issuer of a tokenProd: https://id.trimble.com
Stage: https://state.id.trimblecloud.com
access token
ID token
jtiA unique identifier for the tokenstringaccess token
ID token
jwt_verThe version of this Trimble Identity Token{2}access token
ID token
nbfNot Before Time. Used to determine the age of a JWTinteger, (Seconds since midnight Jan 1, 1970)access token
ID token
nonceA value used to prevent replay attacks. Matches the value supplied during the authorization requestvalue supplied during auth requestID token
pictureURL of user’s profile picturestring, URLID token
scopeOpenID, or Application Namespace separated stringaccess token
subThe subject of the JWTuser or application UUIDaccess token
ID token

Response Payloads

Below are examples of responses for sent payloads from Trimble Identity v4.

User access token response

{
  "iss": "https://stage.id.trimblecloud.com",
  "exp": 1629479671,
  "nbf": 1629476071,
  "iat": 1629476071,
  "jti": "d12f4bab...",
  "jwt_ver": 2,
  "sub": "4d533...",
  "identity_type": "user",
  "amr": [
    "federated",
    "okta_trimble",
    "mfa"
  ],
  "auth_time": 1629476071,
  "azp": "c3275...",
  "aud": [
    "c32758..."
  ],
  "scope": "InvitationDemonstration",
  "account_id": "4d5335...",
}

User ID token response

{
  "iss": "https://stage.id.trimblecloud.com",
  "exp": 1629480574,
  "nbf": 1629476974,
  "iat": 1629476974,
  "jti": "d27065...",
  "jwt_ver": 2,
  "sub": "4d5335...",
  "aud": "c32758...",
  "identity_type": "user",
  "auth_time": 1629476974,
  "amr": [
    "federated",
    "okta_trimble",
    "mfa"
  ],
  "azp": "c32758...",
  "given_name": "John",
  "family_name": "Example",
  "email": "john_example@example-domain.com",
  "email_verified": true,
  "federation_origin": "okta_trimble",
  "account_id": "4d5335...",
  "picture": "https://profiles-image-stage.s3.us-west-2.amazonaws.com/profileimages/users/picture..."
}

Application access token response

{
  "iss": "https://stage.id.trimblecloud.com",
  "exp": 1629481989,
  "nbf": 1629478389,
  "iat": 1629478389,
  "jti": "70e6529...",
  "jwt_ver": 2,
  "sub": "271ec...",
  "application_name": "JavascriptSDKTesting",
  "identity_type": "application",
  "auth_time": 1629478389,
  "account_id": "271ec...",
  "amr": [
    "client_credentials"
  ]
}

Sample JWT for device access token

{
  "iss": "https://id.trimble.com",
  "exp": 111111,
  "nbf": 1111111,
  "iat": 11111111,
  "jti": "xxxxxx",
  "jwt_ver": 2,
  "sub": "device_id",
  "aud": [
    "app_id"
  ],
  "amr": [
    "certificate"
  ],
  "identity_type": "device",
  "auth_time": 11111111,
  "cnf": {
    "x5t#S256": "53a397b25879404477eaa65c51e889cdb0f74b23c8c8b156889c241380c9e411"
  },
  "azp": "xxxxxxxxx",
  "scope": "app_name",
  "account_id": "12345678-90ab-cdef-1234-567890abcdef",
}
  • To decode and verify the TID JWT Token, refer to Decode JWT