Access token headers and claims

The following tables list the headers and claims that are part of an access token issued by the Authorization Server in all available OAuth flows.

Headers
Header name Required Description
kid Required in all OAuth flows. The identifier of the public key that you can use to verify the integrity of the access token issued by the Authorization Server. To view the public keys, make a request to the JSON Web Key Set endpoint. See OAuth 2.0 endpoints.
typ Required in all OAuth flows. The type of token. It is set to JWT.
alg Required in all OAuth flows. The algorithm used for signing the access token and its verification. It is set to RS256.
Claims
Claim name Required Description
sub Required in the implicit and authorization code grant flows.

Optional in the client credentials flow.

The subject of the access token. It is the resource owner's identifier provided by the IdP.
ver Required in all OAuth flows. The current version of the access token.
idp_id Required in the implicit and authorization code grant flows. The unique identifier of the IdP that authenticated the resource owner.
idp_iss Required in the implicit and authorization code grant flows. The iss claim in the JWT issued by the IdP to authenticate the resource owner. If not present, it is the IdP’s token endpoint URL.
iss Required in all OAuth flows. The issuer of the access token. It is set to oauth-signer.akamai.com
client_id Required in all OAuth flows. The client ID of the client app configured in Control Center.
aud Required in all OAuth flows. The audience that the access token is intended for. It is an array of hostnames followed by the corresponding API base paths.
nbf Required in all OAuth flows. Identifies the time before which the token is not accepted for processing.
grant_type Required in all OAuth flows. The grant type used to generate the access token. The following values are allowed: implicit, client_credentials, authorization_code. For refreshed access tokens, the grant type is set to authorization_code .
scope Required in all OAuth flows. The scopes that the user agreed to grant to the client app on the consent page in OAuth Management.
exp Required in all OAuth flows. The expiration time on or after which the token is not accepted for processing.
iat Required in all OAuth flows. The time of issuing the access token.
jti Required in all OAuth flows. A unique identifier for the access token.