Skip to main content

Tokens & Scopes

Scopes

Scopes define the permissions your application is requesting from the user during the authentication flow. Visual Passcodes supports the following scopes:

  • openid: (Mandatory for OIDC) This scope is required to signal that you are performing an OpenID Connect request and want to receive an id_token.
  • profile: Allows access to the user's default profile claims, such as name.
  • email: Allows access to the user's email and email_verified claims.
  • 2fa: A custom scope used to trigger the two-factor authentication flow. When this scope is used, Visual Passcodes will only return an id_token.
  • 2fa_link: A custom scope used to trigger the two-factor authentication flow for new users or the register flow. This scope must be used with a confidential client only and in conjunction with the 2fa scope.

Tokens

Upon a successful token exchange, Visual Passcodes may issue the following tokens.

  • id_token: A JSON Web Token (JWT) that contains claims (attributes) about the authentication event and the authenticated user. It is intended for the client application to read and verify the user's identity. Your application must validate the id_token's signature and claims (iss, aud, exp, iat, nonce) to ensure its authenticity and integrity.

  • access_token: A credential used by your application to access protected resources, such as the Userinfo endpoint or your own backend APIs. It has a limited lifetime.

  • refresh_token: A long-lived token that can be used to obtain a new access_token (and optionally a new id_token) without requiring the user to log in again. refresh_tokens must be stored securely by confidential clients.

  • token_type: Indicates the type of token issued, typically Bearer.

  • expires_in: The lifetime of the access_token in seconds.

Token Signing Algorithm

Visual Passcodes uses EdDSA to sign all tokens, ensuring strong cryptographic security. Ensure your token validation library supports this algorithm.