DOCUMENTATION
Guides
Recipient login

ID token details

Suggest Edits

This guide covers more details on ID tokens, supported claim types, and common errors.

Example ID token

{
  "accounts": [
          xxxxxxxx,
          xxxxxxxx, 
  ],
  "at_hash": "Co2282PF4GxdNExDUy4O8A",
  "aud": "paprika",
  "exp": 1730375923,
  "grant_id": "dfb491d5-599e-413f-8957-ae889732d2b6",
  "iat": 1730289523,
  "iss": "https://idp.ddp.akoya.com/",
  "name": "mikomo_1",
  "products": [
          "account_info",
          "balances",
          "customers",
          "investments",
          "payments",
          "transactions"
  ],
  "recipientId": "paprika_rec",
  "sub": "CoABMxxxxxxxxxxxxx"
}

Akoya ID JWT claims

These claim types are supported by Akoya but not all may be present.

  • accounts- accountIds for the permissioned accounts
  • at_hash - Access token hash value
  • aud - Data recipient application/client id
  • exp - Time token will expire in Unix Epoch format
  • grant_id - Akoya’s unique identifier for a consumers consent record
  • iat - The time the token was issued in Unix Epoch format
  • iss - Issuer of the JWT, Akoya
  • name - Akoya internal user identifier
  • products- Akoya products supported by the recipient app
  • recipientId- Akoya unique identifier for the data recipient
  • sub - Unique value to identify the end-user with the scope specific to the data provider

For more: see the RFC on Identity Token claims.

Expired ID token error

If you use an expired ID token with a product (data) endpoint, it will produce error code 602.

{
    "code": 602,
    "message": "Customer not authorized"
}

If you receive this error, you should refresh the tokens. Then, using the new ID token, make the call for data again.

Expired refresh token error

If you make a request using the Token API with an expired refresh token, you will receive an invalid_request error.

{
    "error": "invalid_request",
    "error_description": "Refresh token is invalid or has already been claimed by another client."
}

An expired refresh token requires the app to redirect the end-user back through the consent flow and account selection process to reauthorize and receive a new set of ID and refresh tokens.


Change log

DateOverview
2024-Sept-03Added intro.
2024-Jul-26Original

Need help?

Check out our Developer Community, or visit the Support Center in the Data Recipient Hub.

Looking for provider nuance documentation?

All provider nuance documentation is available in the Data providers section in the Data Recipient Hub.

Still stuck?

For all production issues, submit a support ticket through the Data Recipient Hub. Our support team is standing by 24/7. Questions and non-production issues will be answered during business hours.

Updated 29 days ago