Access Token Structure

The Access Token is issued by Corppass after a successful authorization code exchange. It is used to authorize access to Corppass-protected APIs, such as the Userinfo Endpoint.

Usage

Clients must include the access token in the Authorization header of each request to protected Corppass APIs, using the DPoP scheme.

Usage example for one of the protected endpoints

GET /userinfo
Authorization: DPoP eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
DPoP: <signed-DPoP-proof>

Token Format

Token Opacity

Relying Parties (RPs) must treat the access token as an opaque bearer token and must not attempt to parse, inspect, or rely on its internal structure.

Only the resource server (i.e., Corppass backend services) is expected to validate and interpret the access token contents.

The access token is issued as a JWS (JSON Web Signature), but its structure is opaque to Relying Parties (RPs).

RPs must not decode, parse, or rely on its internal claims for any logic or identity processing. The following details are provided for informational purposes only and may change without notice.

JWT Payload (Claims) Example

{
  "iat": 1716451740,
  "exp": 1716452339,
  "iss": "https://stg-id.corppass.gov.sg",
  "scope": "authinfo tpauthinfo",
  "aud": ["https://stg-id.corppass.gov.sg/authorization-info"],
  "client_id": "97ZZnLxUfzzVz50kfCwB",
  "sub": "CP192",
  "jti": "vhC0eLzU-ol8IQ0RuFL5f",
  "cnf": {
    "jkt": "0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I"
  }
}

Claim

Type

Description

aud

Array

The URI of the resource server(s) for which the Access Token is intended.

iss

String

The issuer of the Access Token.

iat

Number

The time at which the Access Token was issued, expressed as a UNIX timestamp.

exp

Number

The expiration time on or after which the Access Token MUST NOT be accepted for processing. Defaults to 10 minutes since iat.

scope

String

A space-separated list of scopes granted by the token, which defines the permissions for the resource server.

sub

String

The principal that is the subject of the JWT. Uniquely identifies the user.

client_id

String

The client ID of the Relying Party for which the Access Token is intended.

jti

String

The unique identifier of the token.

cnf.jkt

String

The base64url-encoded SHA-256 thumbprint of the DPoP public key (in JWK format), which binds the access token to the DPoP key used during the request.

PreviousID Token Structure NextUserinfo Endpoint

Last updated 4 days ago