Scopes
| Scope | Description |
|---|---|
openid | OIDC — required for ID token issuance |
profile | Display name and avatar |
email | Email address |
Userinfo claims
GET /oauth/userinfo with Authorization: Bearer ACCESS_TOKEN returns:
| Claim | Scope | Description |
|---|---|---|
sub | openid | Stable user ID |
name | profile | Display name |
picture | profile | Avatar URL |
email | email | Email address |
email_verified | email | Always true for OakID accounts |
ID token
The token response includes anid_token (JWT, HS256). Validate iss, aud (your client_id), and exp before trusting claims.