Token claims
Every claim Whisp3r Auth emits in id_token and /oauth2/userinfo responses. Absent claims mean
"not consented" — not null.
Always present
- sub
- The pairwise subject identifier — unique to your
client_id. Stable across sessions for your app. Use as your users-table primary key. - iss
- Issuer. Always matches the discovery document's
issuerfield. Verify on everyid_token. - aud
- Your
client_id. Verify on everyid_token. - iat / exp
- Issued-at / expires-at, seconds since epoch.
id_token-only claims
- amr
- Authentication Methods References, per OIDC Core 5.1. Present as
["mfa", "otp"]when the user passed 2FA on this session. Absent when the user signed in with a single factor — that's the OIDC convention for "single-factor." Read this for runtime auth-strength decisions even if you don't require 2FA at sign-in. - nonce
- Echoes the
nonceyou sent in the authorize request. Verify it matches.
Scope-gated claims
- picture
wa:photo- given_name
wa:name.first(orwa:name.full)- name, middle_name, family_name
wa:name.full- preferred_username
wa:username- pronouns
wa:pronouns- age_gate
wa:age.tiers— object with13,16,18,21boolean keys- birthdate
wa:birthday— ISOYYYY-MM-DD- locale
wa:language— BCP-47 tag- cookie_preferences
wa:cookies— object withanalytics+marketingbooleans
Signature verification
Every id_token is signed EdDSA. Fetch the JWKS from the jwks_uri in discovery, find the key matching the token's kid header, and verify the signature. Then check:
issmatches the issuer from discoveryaudmatches yourclient_idexpis in the futureiatis not too far in the past (5-minute leeway is standard)noncematches what you sent
If any of those fail, reject the token. Most OIDC libraries do all of this automatically; if you're hand-rolling, do not skip a single check.