# ID Token Structure The ID Token contains both standard claims and Corppass-specific custom claims.

Claim Claim Content Claim Format

Standard Claims Standard claims such as iss , iat, exp, etc., as defined in the Section 5.1. of OIDC Core Specification String

Custom Claims

Claim	Claim Content	Claim Format
Standard Claims	Standard claims such as `iss` , `iat`, `exp,` etc., as defined in the Section 5.1. of OIDC Core Specification	String
Custom Claims	Corppass-specific claims providing details about the authenticated user: `userInfo`: Includes Corppass user's personal information, such as full name and account type `entityInfo`: Includes Corppass user's entity information, detailing entities the user is authorized for or selected during authorization (applicable when the user has access to multiple entities)	JavaScript Notation Object (JSON)

Corppass-specific claims providing details about the authenticated user:

userInfo: Includes Corppass user's personal information, such as full name and account type
entityInfo: Includes Corppass user's entity information, detailing entities the user is authorized for or selected during authorization (applicable when the user has access to multiple entities)

JavaScript Notation Object (JSON)

#### ID Token Format The ID Token is issued as a JWS encapsulated in a JWE (compact serialisation). Below is an overview of its structure:

Component	Description
JWE Header	Contains metadata such as the encryption algorithm (`alg`) and key identifier (`kid`).
Encrypted Payload	Contains the Base64-encoded representation of the JWS (decrypted).
JWS Header	Includes metadata such as the signing algorithm (`alg`) and the key identifier (`kid`).
JWS Payload	Contains claims, including user and authorization information.
Signature	Ensures the integrity and authenticity of the payload.

{% hint style="warning" %} Clients **must** use the kid field in the JWE header to identify the key Corppass used for encryption. Refer to [RFC 7515 Section 4](https://tools.ietf.org/html/rfc7515#section-4) for more information about the JWE structure. {% endhint %} #### **JWS Payload Example** The following an example of the JWS payload returned by the ID Token


{ "iat": 1623162109, "iss": "https://stg-id.corppass.gov.sg", "at_hash": "6J4VlBBQpbAyy1NL4NBW-Q", "sub": "s=S1234567P,uuid=0f14a2fc-09c2-4780-95f0-8c28347f2780,u=CP192,c=SG", "exp": 1623165709, "aud": "vOIljWVrGyBMK6f31QYq", "amr": ["pwd", "sms"], "nonce": "ZEF+97zc3YZP7huv6nzKspfabDv0wRtce/aVNud23vU=", "userInfo":{ "CPAccType": "User", "CPUID_FullName": "John Grisham", "ISSPHOLDER": "YES" }, "entityInfo": { "CPEntID": "82532759L", "CPEnt_TYPE": "UEN", "CPEnt_Status": "Registered", "CPNonUEN_Country": "", "CPNonUEN_RegNo": "", "CPNonUEN_Name": "" } }

{
    "iat": 1623162109,
    "iss": "https://stg-id.corppass.gov.sg",
    "at_hash": "6J4VlBBQpbAyy1NL4NBW-Q",
    "sub": "s=S1234567P,uuid=0f14a2fc-09c2-4780-95f0-8c28347f2780,u=CP192,c=SG",
    "exp": 1623165709,
    "aud": "vOIljWVrGyBMK6f31QYq",
    "amr": ["pwd", "sms"],
    "nonce": "ZEF+97zc3YZP7huv6nzKspfabDv0wRtce/aVNud23vU=",
    "userInfo":{
        "CPAccType": "User",
        "CPUID_FullName": "John Grisham",
        "ISSPHOLDER": "YES"
    },
    "entityInfo": {
        "CPEntID": "82532759L",
        "CPEnt_TYPE": "UEN",
        "CPEnt_Status": "Registered",
        "CPNonUEN_Country": "",
        "CPNonUEN_RegNo": "",
        "CPNonUEN_Name": ""
    }
}

#### **Claims in the JWS Payload**

Claim	Type	Description
aud	String	The client ID of the Relying Party. Refer to Section 4.1.3 of RFC 7519.
iss	String	The issuer of the token. Refer to Section 4.1.1 of RFC 7519.
iat	Number	The time the token was issued, expressed as a UNIX timestamp. Refer to Section 4.1.6 of RFC 7519.
exp	Number	The expiration time of the token, expressed as a UNIX timestamp. The default validity is 10 minutes from `iat`. Refer to Section 4.1.6 of RFC 7519.
nonce	String	A unique string to associate the ID Token with the authorization request to prevent replay attacks.
amr	Array	Authentication methods used during Singpass login
at_hash	String	A hash of the Access Token issued alongside the ID Token.
sub	String	The principal that is the subject of the JWT. It contains a comma-separated list of `key=value` pairs that uniquely identify the user, which may include multiple alternate identifiers. Format The format of the `sub` is as follows: `s` : Identity ID (e.g. NRIC/FIN/Foreign ID) `uuid` : User's globally unique identifier (e.g. `0f14a2fc-09c2-4780-95f0-8c28347f2780` ) `u` : System-defined ID (e.g. `CP1234` ) `c` : Two-character country code, conforming to ISO 3166-1 Alpha-2 (e.g. `SG` ) Example:
userInfo	JSON	Contains the user's personal information, such as full name and account type. Refer to the UserInfo Claim Structure section for more details.
entityInfo	JSON	Includes the user's entity information (e.g., entity type, ID) used during authentication. Refer to the EntityInfo Claim Structure section for more details.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/token-endpoint/id-token-structure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.