Scopes

ScopeDescription
openidOIDC — required for ID token issuance
profileDisplay name and avatar
emailEmail address
Request scopes as a space-separated list:
scope=openid profile email
Only scopes allowed for your client (set in Developer Portal) are granted.

Userinfo claims

GET /oauth/userinfo with Authorization: Bearer ACCESS_TOKEN returns:
ClaimScopeDescription
subopenidStable user ID
nameprofileDisplay name
pictureprofileAvatar URL
emailemailEmail address
email_verifiedemailAlways true for OakID accounts

ID token

The token response includes an id_token (JWT, HS256). Validate iss, aud (your client_id), and exp before trusting claims.