ID Token

ID Token JSON Web Token (JWT) [JWT] that contains Claims about the Authentication event. An identity token represents the outcome of an authentication process.

The ID Token consists of three period-separated, Base64 URL-encoded JSON segments: a header, the payload, and the signature.

The ID tokens are in JSON Web Token (JWT) format, the specification for which can be found here: They are signed using private JSON Web Keys (JWK), the specification for which you can find here:


What to Check When Validating an ID Token 

The high-level overview of validating an ID token looks like this:

  1. Retrieve and parse your JSON Web Keys (JWK), which should be checked periodically and cached by your application.
  2. Decode the ID token, which is in JSON Web Token format
  3. Verify the signature used to sign the ID token
    1. You verify the Access or ID token's signature by matching the key that was used to sign in with one of the keys that you retrieved from your Authorization Server's JWK endpoint. Specifically, each public key is identified by a kid attribute, which corresponds with the kid claim in the Access or ID token header. If the kid claim doesn't match, it's possible that the signing keys have changed. Check the jwks_uri value in the Authorization Server metadata and try retrieving the keys again from MobilePay.
  4. Verify the claims found inside the ID token
    1. The iss (issuer) claim matches the identifier of your MobilePay Authorization Server.
    2. The aud (audience) claim should match the Client ID that you used to request the ID Token. 
    3. The iat (issued at time) claim indicates when this ID token was issued, expressed in Unix time.
    4. The exp (expiry time) claim is the time at which this token will expire., expressed in Unix time.
    5. The nonce claim value should match whatever was passed when you requested the ID token.