Skip to main content

Identity and Access Tokens

Enterprise

When you log in using the OIDC protocol in Appsmith, you gain access to the identity and access tokens. These tokens can be used within your applications to implement custom logic and authorize API requests on behalf of the authenticated user.

Identity token

An ID token serves as a verified confirmation of a user's identity and includes essential information such as their name, picture, email address etc. According to the OpenID Connect (OIDC) specifications, when a user successfully logs in, Appsmith receives an ID token.

Appsmith provides the idToken on the client side, allowing you to incorporate it into various operations like JavaScript functions, APIs, or queries as needed. You can read the value of an ID token in your APIs/Queries by using the mustache syntax {{}} as shown below:

{{appsmith.user.idToken}}

idToken is also provided in its raw format for you to incorporate into API headers. You can read the value of an ID token in its raw format in your APIs/Queries by using the mustache syntax {{}} as shown below:

{{appsmith.user.rawIdToken}}

If you have defined custom scopes in your identity provider, the information associated with those scopes can be accessed within the Identity token.

Access token

An access token is a self-contained object that holds claims, which are pieces of information about an entity. Unlike other tokens, you don't need to contact a server to validate an access token.

Once a user has successfully authenticated through a Single Sign-On (SSO) Provider, the access tokens can be used within Appsmith. The access token is stored on the server, and for security reasons, it is not accessible on the client side.

You can reference the access token using the placeholder <<APPSMITH_USER_OAUTH2_ACCESS_TOKEN>>. This placeholder is automatically substituted with the access token of the currently logged-in user.

User Claims

User claims are pieces of information about the authenticated user, such as their name, email address, roles, or any custom attributes.

These claims are included in the ID token and/or the access token. They provide information that can be used by the client application to personalize the user's experience or make authorization decisions.

The specific claims included in the ID token and access token can vary depending on the identity provider and the scopes requested during authentication.

You can read the user info using the mustache syntax {{}} as shown below:

 {{ appsmith.user.userClaims }}