Access Token

The Access Token is issued by Corppass after a successful authorization code exchange. It is used to authorize access to Corppass-protected APIs, such as the Userinfo Endpoint.

Usage

Clients must include the access token in the Authorization header of each request to protected Corppass APIs, using the DPoP scheme.

Usage example for one of the protected endpoints

GET /userinfo
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-DPoP-proof>

Token Format

Token Opacity

Relying Parties (RPs) must treat the access token as an opaque bearer token and must not attempt to parse, inspect, or rely on its internal structure.

Only the resource server (i.e., Corppass backend services) is expected to validate and interpret the access token contents.

The access token is issued as a JWS (JSON Web Signature), but its structure is opaque to Relying Parties (RPs).

RPs must not decode, parse, or rely on its internal claims for any logic or identity processing. The following details are provided for informational purposes only and may change without notice.

PreviousID Token NextUserinfo Endpoint

Last updated 9 days ago