Skip to main content

Akoya
Documentation

ID Token Details

This guide covers more details on ID tokens, supported claim types, and common errors.

Example ID token

JSON
{
    "accounts": [
    "1755209824",
    "1704739195",
    "1755093543",
    "1781013604",
    "1755208863",
    "1777169449",
    "1704739133",
    "1704739164"
  ],
  "at_hash": "yiZEayBDJhAyhUFdOhozHA",
  "aud": [
    "e6e74675-4d41-41d9-9416-464ef0438b3f"
  ],
  "auth_time": 1739476844, 
  "connectorId": "Mikomo",
  "exp": 1739563271,
  "grant_id": "7a85456e-4e1a-46d9-b1bf-4fa2792baee5",
  "iat": 1739476871,
  "iss": "/sandbox",
  "jti": "524cc0a2-26c7-4e76-8068-67d07da6ea46",
  "name": "mikomo_1",
  "products": [
    "ACCOUNT_DETAILED",
    "STATEMENTS",
    "TRANSACTIONS"
  ],
  "rat": 1739476838,
  "recipientId": "the_recipient",
  "sid": "33db1752-1046-4f3f-90ca-40ea5568169f",
  "sub": "CghtaWtvbW9fMRIGbWlrb21v"
}

Akoya ID JWT claims

These claim types are supported by Akoya but not all may be present.

  • iss - Issuer of the JWT

  • sub - Unique value to identify the consumer with the scope specific to the data provider

  • aud - Data recipient

  • exp - Time token will expire in Unix Epoch format

  • iat - The time the token was issued in Unix Epoch format

  • at_hash - Access token hash value

  • email - Consumer’s email address

  • email_verified - True if consumer’s email is verified, otherwise false

  • name - Internal user identifier

  • locale- Consumer's locale

For more: see the RFC on Identity Token claims.

Expired ID token error

If you use an expired ID token with a cluster (data) endpoint, it will produce error code 602.

JSON
{
    "code": 602,
    "message": "Customer not authorized"
}

If you receive this error, you should refresh the tokens. Then, using the new ID token, make the call for data again.

Expired refresh token error

If you make a request using the Token API with an expired refresh token, you will receive an invalid_request error.

JSON
{
    "error": "invalid_request",
    "error_description": "Refresh token is invalid or has already been claimed by another client."
}

An expired refresh token requires the app to redirect the consumer back through the consent flow and account selection process to reauthorize and receive a new set of ID and refresh tokens.

Change log

Date

Overview

2025-May-22

Implemented UAT changes

2025-Jan-02

Initial publication

CTRL + K

Table of contents

Token OverviewUnique Token Keys and Values