<!DOCTYPE html><html lang="en"><head><link rel="shortcut icon mask-icon" type="image/svg+xml" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon.svg"/><link rel="shortcut icon" type="image/svg+xml" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon.svg"/><link rel="shortcut icon" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-48.png"/><link rel="icon" sizes="16x16" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-16.png"/><link rel="icon" sizes="32x32" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-32.png"/><link rel="icon" sizes="48x48" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-48.png"/><link rel="icon" sizes="96x96" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-96.png"/><link rel="icon" sizes="144x144" type="image/png" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-144.png"/><link rel="apple-touch-icon" sizes="180x180" href="https://cdn.auth0.com/website/website/favicons/auth0-favicon-180.png"/><link rel="stylesheet" href="https://cdn.auth0.com/styleguide/core/3.0.0/core.min.css"/><script class="optanon-category-4" type="text/plain">window.twttr=function(t,e,r){var n,i=t.getElementsByTagName(e)[0],w=window.twttr||{};return t.getElementById(r)?w:((n=t.createElement(e)).id=r,n.src="https://platform.twitter.com/widgets.js",i.parentNode.insertBefore(n,i),w._e=[],w.ready=function(t){w._e.push(t)},w)}(document,"script","twitter-wjs");</script><script class="optanon-category-4" type="text/plain">(function (h, o, t, j, a, r) {h.hj = h.hj || function () { (h.hj.q = h.hj.q || []).push(arguments) }; h._hjSettings = { hjid: 301495, hjsv: 5 }; a = o.getElementsByTagName('head')[0]; r = o.createElement('script'); r.async = 1; r.src = t + h._hjSettings.hjid + j + h._hjSettings.hjsv; a.appendChild(r);}(window, document, '//static.hotjar.com/c/hotjar-', '.js?sv='))</script><script class="optanon-category-4" type="text/plain"> window._6si = window._6si || []; window._6si.push(['enableEventTracking', true]); window._6si.push(['setToken', '17aa5119e1d44eeab301f44113230d69']); window._6si.push(['setEndpoint', 'b.6sc.co']); (function() { var gd = document.createElement('script'); gd.type = 'text/javascript'; gd.async = true; gd.src = '//j.6sc.co/6si.min.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(gd, s); })();</script><link rel="preload" href="/blog/api/ab/" as="fetch" crossorigin="use-credentials"/><link rel="canonical" href="https://auth0.com/blog/id-token-access-token-what-is-the-difference/"/><title>ID Token and Access Token: What Is the Difference?</title><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0"/><meta charSet="utf-8"/><meta name="description" content="Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context."/><meta property="fb:app_id" content="534074790006350"/><meta property="og:type" content="article"/><meta property="og:title" content="ID Token and Access Token: What Is the Difference?"/><meta property="og:site_name" content="Auth0 - Blog"/><meta property="og:description" content="Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context."/><meta property="og:image" content="https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg"/><meta property="og:url" content="https://auth0.com/blog/id-token-access-token-what-is-the-difference/"/><meta name="twitter:site" content="@auth0"/><meta name="twitter:creator" content="@auth0"/><meta name="twitter:title" content="ID Token and Access Token: What Is the Difference?"/><meta name="twitter:description" content="Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context."/><meta name="twitter:url" content="https://auth0.com/blog/id-token-access-token-what-is-the-difference/"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:image" content="https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg"/><meta name="twitter:image:height" content="512"/><meta name="twitter:image:width" content="1024"/><meta name="HandheldFriendly" content="True"/><meta name="MobileOptimized" content="320"/><link rel="manifest" href="https://auth0.com/blog/manifest.json"/><link type="application/atom+xml" rel="alternate" href="https://auth0.com/blog/rss.xml" title="Auth0 Blog"/><link type="application/opensearchdescription+xml" rel="search" href="https://auth0.com/blog/osd.xml"/><meta name="next-head-count" content="31"/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/blog/_next/static/chunks/polyfills-5cd94c89d3acac5f.js"></script><script src="/blog/_next/static/chunks/webpack-a782c72818c7ffe2.js" defer=""></script><script src="/blog/_next/static/chunks/framework-d3b6a5186d0a11ae.js" defer=""></script><script src="/blog/_next/static/chunks/main-c16094a955a57664.js" defer=""></script><script src="/blog/_next/static/chunks/pages/_app-4030694b79eae4c0.js" defer=""></script><script src="/blog/_next/static/chunks/4811-8c18a25694512d39.js" defer=""></script><script src="/blog/_next/static/chunks/86-06286fbbb5daed49.js" defer=""></script><script src="/blog/_next/static/chunks/7839-001152a84406ee0e.js" defer=""></script><script src="/blog/_next/static/chunks/150-7f815a9dd295050c.js" defer=""></script><script src="/blog/_next/static/chunks/9764-3887af4854bd04f4.js" defer=""></script><script src="/blog/_next/static/chunks/pages/blog/%5Bslug%5D-35441c99063e0800.js" defer=""></script><script src="/blog/_next/static/IzTW8SATo2LLnvYQRE3T_/_buildManifest.js" defer=""></script><script src="/blog/_next/static/IzTW8SATo2LLnvYQRE3T_/_ssgManifest.js" defer=""></script><script src="/blog/_next/static/IzTW8SATo2LLnvYQRE3T_/_middlewareManifest.js" defer=""></script><style data-styled="" data-styled-version="5.2.1">html{line-height:1.15;-webkit-text-size-adjust:100%;}/*!sc*/ body{margin:0;}/*!sc*/ main{display:block;}/*!sc*/ h1{font-size:2em;margin:0.67em 0;}/*!sc*/ hr{box-sizing:content-box;height:0;overflow:visible;}/*!sc*/ pre{font-family:monospace,monospace;font-size:1em;}/*!sc*/ a{background-color:transparent;}/*!sc*/ abbr[title]{border-bottom:none;-webkit-text-decoration:underline;text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;}/*!sc*/ b,strong{font-weight:bolder;}/*!sc*/ code,kbd,samp{font-family:monospace,monospace;font-size:1em;}/*!sc*/ small{font-size:80%;}/*!sc*/ sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline;}/*!sc*/ sub{bottom:-0.25em;}/*!sc*/ sup{top:-0.5em;}/*!sc*/ img{border-style:none;}/*!sc*/ button,input,optgroup,select,textarea{font-family:inherit;font-size:100%;line-height:1.15;margin:0;}/*!sc*/ button,input{overflow:visible;}/*!sc*/ button,select{text-transform:none;}/*!sc*/ button,[type="button"],[type="reset"],[type="submit"]{-webkit-appearance:button;}/*!sc*/ button::-moz-focus-inner,[type="button"]::-moz-focus-inner,[type="reset"]::-moz-focus-inner,[type="submit"]::-moz-focus-inner{border-style:none;padding:0;}/*!sc*/ button:-moz-focusring,[type="button"]:-moz-focusring,[type="reset"]:-moz-focusring,[type="submit"]:-moz-focusring{outline:1px dotted ButtonText;}/*!sc*/ fieldset{padding:0.35em 0.75em 0.625em;}/*!sc*/ legend{box-sizing:border-box;color:inherit;display:table;max-width:100%;padding:0;white-space:normal;}/*!sc*/ progress{vertical-align:baseline;}/*!sc*/ textarea{overflow:auto;}/*!sc*/ [type="checkbox"],[type="radio"]{box-sizing:border-box;padding:0;}/*!sc*/ [type="number"]::-webkit-inner-spin-button,[type="number"]::-webkit-outer-spin-button{height:auto;}/*!sc*/ [type="search"]{-webkit-appearance:textfield;outline-offset:-2px;}/*!sc*/ [type="search"]::-webkit-search-decoration{-webkit-appearance:none;}/*!sc*/ ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit;}/*!sc*/ details{display:block;}/*!sc*/ summary{display:list-item;}/*!sc*/ template{display:none;}/*!sc*/ [hidden]{display:none;}/*!sc*/ data-styled.g52[id="sc-global-ecVvVt1"]{content:"sc-global-ecVvVt1,"}/*!sc*/ :root{--content-width:120rem;--font-main:'fakt-web',sans-serif;}/*!sc*/ .lightbox{width:100%;height:100%;position:fixed;top:0;left:0;background:rgba(0,0,0,0.85);z-index:9999999;line-height:0;cursor:pointer;}/*!sc*/ .lightbox-image{max-width:100%;cursor:pointer;margin:0 auto;display:block;}/*!sc*/ .lightbox img{position:relative;top:50%;left:50%;-ms-transform:translateX(-50%) translateY(-50%);-webkit-transform:translate(-50%,-50%);-webkit-transform:translate(-50%,-50%);-ms-transform:translate(-50%,-50%);transform:translate(-50%,-50%);max-width:100%;max-height:100%;}/*!sc*/ @media screen and (min-width:1200px){.lightbox img{max-width:1200px;}}/*!sc*/ @media screen and (min-height:1200px){.lightbox img{max-height:1200px;}}/*!sc*/ .lightbox span{display:block;position:fixed;bottom:13px;height:1.5em;line-height:1.4em;width:100%;text-align:center;color:white;text-shadow:-1px -1px 0 #000,1px -1px 0 #000,-1px 1px 0 #000,1px 1px 0 #000;font-family:'fakt-web','Helvetica Neue',Hevetica,sans-serif;font-size:18px;}/*!sc*/ .lightbox .videoWrapperContainer{position:relative;top:50%;left:50%;-ms-transform:translateX(-50%) translateY(-50%);-webkit-transform:translate(-50%,-50%);-webkit-transform:translate(-50%,-50%);-ms-transform:translate(-50%,-50%);transform:translate(-50%,-50%);max-width:900px;max-height:100%;}/*!sc*/ .lightbox .videoWrapperContainer .videoWrapper{height:0;line-height:0;margin:0;padding:0;position:relative;padding-bottom:56.333%;background:black;}/*!sc*/ .lightbox .videoWrapper iframe{position:absolute;top:0;left:0;width:100%;height:100%;border:0;display:block;}/*!sc*/ .lightbox #prev,.lightbox #next{height:50px;line-height:36px;display:none;margin-top:-25px;position:fixed;top:50%;padding:0 15px;cursor:pointer;-webkit-text-decoration:none;text-decoration:none;z-index:99;color:white;font-size:60px;font-family:'fakt-web','Helvetica Neue',Hevetica,sans-serif;}/*!sc*/ .lightbox.gallery #prev,.lightbox.gallery #next{display:block;}/*!sc*/ .lightbox #prev{left:0;}/*!sc*/ .lightbox #next{right:0;}/*!sc*/ .lightbox #close{height:50px;width:50px;position:fixed;cursor:pointer;-webkit-text-decoration:none;text-decoration:none;z-index:99;right:0;top:0;}/*!sc*/ .lightbox #close:after,.lightbox #close:before{position:absolute;margin-top:22px;margin-left:14px;content:'';height:3px;background:white;width:23px;-webkit-transform-origin:50% 50%;-ms-transform-origin:50% 50%;transform-origin:50% 50%;-webkit-transform:rotate(-45deg);-ms-transform:rotate(-45deg);transform:rotate(-45deg);}/*!sc*/ .lightbox #close:after{-webkit-transform:rotate(45deg);-ms-transform:rotate(45deg);transform:rotate(45deg);}/*!sc*/ .lightbox,.lightbox *{-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;}/*!sc*/ body{box-sizing:border-box;font-family:var(--font-main);font-size:2rem;line-height:3.2rem;}/*!sc*/ html{font-size:10px;}/*!sc*/ data-styled.g53[id="sc-global-jGDHBS1"]{content:"sc-global-jGDHBS1,"}/*!sc*/ html{font-size:62.5%;}/*!sc*/ body.modal-open{overflow:hidden;}/*!sc*/ data-styled.g54[id="sc-global-gUclnr1"]{content:"sc-global-gUclnr1,"}/*!sc*/ .dQGrL{border-bottom:0.1rem solid #cdd2d4;padding-bottom:3.2rem;}/*!sc*/ @media screen and (min-width:900px){.dQGrL{padding-bottom:8rem;}}/*!sc*/ data-styled.g55[id="bie152-0"]{content:"dQGrL,"}/*!sc*/ .fobSsY{display:none;}/*!sc*/ @media screen and (min-width:900px){.fobSsY{display:block;}}/*!sc*/ data-styled.g56[id="bie152-1"]{content:"fobSsY,"}/*!sc*/ .iBZoKk{display:block;}/*!sc*/ @media screen and (min-width:900px){.iBZoKk{display:none;}}/*!sc*/ data-styled.g57[id="bie152-2"]{content:"iBZoKk,"}/*!sc*/ .hzQAvt{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ @media screen and (min-width:900px){.hzQAvt{-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;max-width:120rem;margin:0 auto;padding:0 1.6rem;}}/*!sc*/ @media screen and (min-width:1200px){.hzQAvt{padding:0;}}/*!sc*/ data-styled.g58[id="bie152-3"]{content:"hzQAvt,"}/*!sc*/ @media screen and (min-width:900px){.zWfns{-webkit-flex:1;-ms-flex:1;flex:1;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;margin-right:7.8rem;}}/*!sc*/ data-styled.g59[id="bie152-4"]{content:"zWfns,"}/*!sc*/ .gjPoRq{padding:3.2rem 2.4rem 0;}/*!sc*/ @media screen and (min-width:900px){.gjPoRq{padding:0;}}/*!sc*/ data-styled.g60[id="bie152-5"]{content:"gjPoRq,"}/*!sc*/ .kuZGke{font-weight:600;font-size:1rem;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;line-height:1.6rem;text-transform:uppercase;margin-bottom:0;color:#e5af44;}/*!sc*/ @media screen and (min-width:900px){.kuZGke{font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;line-height:2.4rem;}}/*!sc*/ data-styled.g61[id="bie152-6"]{content:"kuZGke,"}/*!sc*/ .dNLsmV{font-weight:400;font-size:2.4rem;color:#000;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;margin:0;}/*!sc*/ @media screen and (min-width:900px){.dNLsmV{opacity:0.9;font-weight:500;font-size:4rem;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;line-height:4.8rem;margin-bottom:2.4rem;}}/*!sc*/ @media screen and (min-width:1200px){.dNLsmV{font-weight:600;font-size:6rem;line-height:7.2rem;-webkit-letter-spacing:-0.135rem;-moz-letter-spacing:-0.135rem;-ms-letter-spacing:-0.135rem;letter-spacing:-0.135rem;}}/*!sc*/ data-styled.g62[id="bie152-7"]{content:"dNLsmV,"}/*!sc*/ .BxKyh{font-weight:400;font-size:1.6rem;color:#333;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;text-align:left;line-height:2.4rem;margin-top:2.4rem;margin-bottom:3.2rem;}/*!sc*/ @media screen and (min-width:900px){.BxKyh{font-size:2.4rem;color:#606060;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;}}/*!sc*/ data-styled.g63[id="bie152-8"]{content:"BxKyh,"}/*!sc*/ .beLXWF{padding:0 2.4rem 0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-flow:column nowrap;-ms-flex-flow:column nowrap;flex-flow:column nowrap;gap:1.2rem;}/*!sc*/ @media screen and (min-width:900px){.beLXWF{padding:0;gap:2.4rem;}}/*!sc*/ data-styled.g64[id="bie152-9"]{content:"beLXWF,"}/*!sc*/ @media screen and (min-width:900px){.kTTSlD{padding:0;}}/*!sc*/ data-styled.g65[id="bie152-10"]{content:"kTTSlD,"}/*!sc*/ .SbeZk{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;height:5.6rem;margin-bottom:0;color:#242424;}/*!sc*/ data-styled.g66[id="bie152-11"]{content:"SbeZk,"}/*!sc*/ .kAjmGL{height:100%;width:auto;border-radius:50%;margin-right:1.6rem;}/*!sc*/ data-styled.g67[id="bie152-12"]{content:"kAjmGL,"}/*!sc*/ .coofmK{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;}/*!sc*/ data-styled.g68[id="bie152-13"]{content:"coofmK,"}/*!sc*/ .czqHud{font-weight:500;margin:0;font-size:1.6rem;color:#242424;-webkit-letter-spacing:-0.02rem;-moz-letter-spacing:-0.02rem;-ms-letter-spacing:-0.02rem;letter-spacing:-0.02rem;text-align:left;line-height:2.4rem;}/*!sc*/ data-styled.g69[id="bie152-14"]{content:"czqHud,"}/*!sc*/ .fCRjyY{font-size:1.6rem;color:#606060;font-weight:300;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;text-align:left;line-height:2.4rem;margin:0;}/*!sc*/ data-styled.g70[id="bie152-15"]{content:"fCRjyY,"}/*!sc*/ .hFSvgw{margin:3.2rem 2.4rem 0;opacity:0.7;font-weight:400;font-size:1.3rem;color:#333;-webkit-letter-spacing:0.008rem;-moz-letter-spacing:0.008rem;-ms-letter-spacing:0.008rem;letter-spacing:0.008rem;text-align:left;line-height:2.4rem;text-transform:capitalize;}/*!sc*/ @media screen and (min-width:900px){.hFSvgw{margin:3.2rem 0 0;font-weight:300;font-size:1.6rem;color:#606060;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;}}/*!sc*/ data-styled.g71[id="bie152-16"]{content:"hFSvgw,"}/*!sc*/ .gZejMy{-webkit-flex:1;-ms-flex:1;flex:1;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;}/*!sc*/ data-styled.g72[id="bie152-17"]{content:"gZejMy,"}/*!sc*/ .lgMHlS{margin:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;background-size:cover;background-image:url('https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg');min-width:44.8rem;height:52.8rem;}/*!sc*/ @media screen and (min-width:900px){.lgMHlS{min-width:44.8rem;height:52.8rem;background-size:contain;background-repeat:no-repeat;background-position:center;}}/*!sc*/ @media screen and (min-width:1200px){.lgMHlS{width:58.8rem;height:52.8rem;background-size:cover;}}/*!sc*/ data-styled.g73[id="bie152-18"]{content:"lgMHlS,"}/*!sc*/ .klcxrk{max-width:100%;width:100%;height:auto;margin:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;}/*!sc*/ data-styled.g74[id="bie152-19"]{content:"klcxrk,"}/*!sc*/ .jWmJon{overflow:hidden;padding:6rem 0 0 0;grid-column:3/4;font-weight:300;font-size:1.6rem;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;line-height:2.8rem;}/*!sc*/ .jWmJon .twitter-tweet{margin:auto;}/*!sc*/ .jWmJon p{margin-bottom:3.2rem;}/*!sc*/ .jWmJon strong{font-weight:500;}/*!sc*/ .jWmJon .alert-info{background-color:#daf4fd;color:#097093;}/*!sc*/ .jWmJon .alert-info p{margin-bottom:0;display:inline;}/*!sc*/ .jWmJon .alert-danger{background-color:#ffd8cc;color:#801f00;}/*!sc*/ .jWmJon .alert-success{background-color:#e5f8d1;color:#3f6910;}/*!sc*/ .jWmJon .alert-info svg,.jWmJon .alert-danger svg,.jWmJon .alert-success svg{vertical-align:middle;}/*!sc*/ .jWmJon .alert-info strong,.jWmJon .alert-danger strong,.jWmJon .alert-success strong{vertical-align:middle;}/*!sc*/ .jWmJon .alert-info p,.jWmJon .alert-danger p,.jWmJon .alert-success p{margin-bottom:0;display:inline;}/*!sc*/ .jWmJon .alert{padding:1.5rem;margin-bottom:2.8rem;border-radius:0.3rem;border:0;}/*!sc*/ .jWmJon iframe{margin:0 auto 3.2rem;display:block;}/*!sc*/ .jWmJon video{max-width:100%;}/*!sc*/ @media screen and (min-width:900px){.jWmJon{font-size:2rem;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;padding:0 5rem 0 0;}}/*!sc*/ .jWmJon h2,.jWmJon h3,.jWmJon h4{margin-bottom:1.5rem;}/*!sc*/ .jWmJon h2{font-weight:600;font-size:2.8rem;-webkit-letter-spacing:-0.02rem;-moz-letter-spacing:-0.02rem;-ms-letter-spacing:-0.02rem;letter-spacing:-0.02rem;line-height:3.2rem;}/*!sc*/ .jWmJon h3{font-size:2.4rem;font-weight:500;opacity:0.7;line-height:1.5;}/*!sc*/ .jWmJon blockquote{margin:3.2rem 0;font-weight:500;font-size:2rem;color:#424242;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;text-align:left;line-height:3.2rem;border-left:0.1rem solid #eb5424;padding:0 0 0 1.5rem;font-style:normal;}/*!sc*/ .jWmJon a{color:#242424;border-bottom:solid 0.1rem #eb5424;font-size:1.6rem;}/*!sc*/ @media screen and (min-width:900px){.jWmJon a{font-size:2rem;}}/*!sc*/ .jWmJon code{font-size:1.5rem;border:0.1rem solid #e8e8e8;border-radius:0.3rem;background-color:#eef;padding:0.1rem 0.5rem;font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;}/*!sc*/ .jWmJon pre{color:#fff;background-color:#011627;overflow-x:auto;padding:0.8rem 1.2rem;border:0.1rem solid #e8e8e8;border-radius:0.3rem;line-height:1.7;word-break:break-all;}/*!sc*/ .jWmJon pre code{padding:0;font-size:1.4rem;background-color:#011627;white-space:pre;color:#fff;overflow-x:auto;border:0;}/*!sc*/ .jWmJon pre code[class*='language-']{color:#ffffff;border:0;background-color:#011627;font-size:1.4rem;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none;}/*!sc*/ .jWmJon pre code[class*='language-'] .token::selection{background:rgba(29,59,83,0.99);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.comment,.jWmJon pre code[class*='language-'] .token.prolog,.jWmJon pre code[class*='language-'] .token.cdata{color:rgb(99,119,119);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.punctuation{color:rgb(199,146,234);}/*!sc*/ .jWmJon pre code[class*='language-'] .namespace{color:rgb(178,204,214);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.deleted{color:rgba(239,83,80,0.56);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.symbol,.jWmJon pre code[class*='language-'] .token.property{color:rgb(128,203,196);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.tag,.jWmJon pre code[class*='language-'] .token.operator,.jWmJon pre code[class*='language-'] .token.keyword{color:rgb(127,219,202);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.boolean{color:rgb(255,88,116);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.number{color:rgb(247,140,108);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.constant,.jWmJon pre code[class*='language-'] .token.function,.jWmJon pre code[class*='language-'] .token.builtin,.jWmJon pre code[class*='language-'] .token.char{color:rgb(130,170,255);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.selector,.jWmJon pre code[class*='language-'] .token.doctype{color:rgb(199,146,234);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.attr-name,.jWmJon pre code[class*='language-'] .token.inserted{color:rgb(173,219,103);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.string,.jWmJon pre code[class*='language-'] .token.url,.jWmJon pre code[class*='language-'] .token.entity,.jWmJon pre code[class*='language-'] .language-css .token.string,.jWmJon pre code[class*='language-'] .style .token.string{color:rgb(173,219,103);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.class-name,.jWmJon pre code[class*='language-'] .token.atrule,.jWmJon pre code[class*='language-'] .token.attr-value{color:rgb(255,203,139);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.regex,.jWmJon pre code[class*='language-'] .token.important,.jWmJon pre code[class*='language-'] .token.variable{color:rgb(214,222,235);}/*!sc*/ .jWmJon pre code[class*='language-'] .token.important,.jWmJon pre code[class*='language-'] .token.bold{font-weight:bold;}/*!sc*/ .jWmJon pre code[class*='language-']::selection{text-shadow:none;background:rgba(29,59,83,0.99);}/*!sc*/ .jWmJon details{background:#f5f7f9;padding:3.2rem 3.2rem 0.01rem;margin-bottom:3.2rem;}/*!sc*/ .jWmJon details summary{cursor:pointer;margin-bottom:3.2rem;}/*!sc*/ .jWmJon details summary:focus{outline:none;}/*!sc*/ .jWmJon .try-banner{text-align:center;background:#f5f7f9;padding:7rem 2rem;border-radius:0.3rem;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;margin:calc(2.4rem / -2) calc(2.4rem / -2);}/*!sc*/ .jWmJon .try-banner > *{margin:calc(2.4rem / 2) calc(2.4rem / 2);}/*!sc*/ .jWmJon .try-banner svg{margin-right:0;}/*!sc*/ .jWmJon .try-banner p{margin-bottom:0;display:inline;line-height:1.6rem;}/*!sc*/ .jWmJon .try-banner .btn{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;position:static;font-weight:500;text-align:center;touch-action:manipulation;cursor:pointer;background-image:none;white-space:nowrap;padding:0.8rem 1.6rem;line-height:2;border-radius:0.3rem;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;-webkit-transition:background-color 0.2s ease;transition:background-color 0.2s ease;text-transform:uppercase;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;}/*!sc*/ .jWmJon .try-banner .btn-lg{padding:1.6rem 3rem;line-height:1.3333333;border-radius:0.3rem;}/*!sc*/ .jWmJon .try-banner .btn-default{color:#333;background-color:#f1f1f1;}/*!sc*/ .jWmJon .try-banner .btn-default:hover{background-color:#d7d7d7;}/*!sc*/ data-styled.g86[id="nlufiy-0"]{content:"jWmJon,"}/*!sc*/ .dOMuZW{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;list-style:none;padding:0;margin:2rem 0 0;}/*!sc*/ @media screen and (min-width:900px){.dOMuZW{margin:8rem 0 0;}}/*!sc*/ data-styled.g87[id="nlufiy-1"]{content:"dOMuZW,"}/*!sc*/ .fXIXML{margin:0 0.8rem;}/*!sc*/ data-styled.g88[id="nlufiy-2"]{content:"fXIXML,"}/*!sc*/ .jFCgAB{color:#242424;font-size:1.6rem;position:relative;}/*!sc*/ .jFCgAB.jFCgAB{border:0;}/*!sc*/ .jFCgAB::after{position:absolute;top:-4rem;right:-2rem;width:11rem;text-align:center;opacity:0;-webkit-transition:opacity 0.15s ease-in-out;transition:opacity 0.15s ease-in-out;display:block;font-size:1.1rem;padding:0.1rem;background:#f9f9fb;border:0.1rem solid #cdd2d4;border-radius:0.3rem;margin:0;box-shadow:0 0.1rem 1.2rem rgba(0,0,0,0.1);color:#242424;content:'Share on Twitter';}/*!sc*/ .jFCgAB:hover::after{opacity:1;}/*!sc*/ @media screen and (min-width:900px){.jFCgAB{font-size:2rem;}}/*!sc*/ .jRHWVS{color:#242424;font-size:1.6rem;position:relative;}/*!sc*/ .jRHWVS.jRHWVS{border:0;}/*!sc*/ .jRHWVS::after{position:absolute;top:-4rem;right:-2rem;width:11rem;text-align:center;opacity:0;-webkit-transition:opacity 0.15s ease-in-out;transition:opacity 0.15s ease-in-out;display:block;font-size:1.1rem;padding:0.1rem;background:#f9f9fb;border:0.1rem solid #cdd2d4;border-radius:0.3rem;margin:0;box-shadow:0 0.1rem 1.2rem rgba(0,0,0,0.1);color:#242424;content:'Share on LinkedIn';}/*!sc*/ .jRHWVS:hover::after{opacity:1;}/*!sc*/ @media screen and (min-width:900px){.jRHWVS{font-size:2rem;}}/*!sc*/ .dCgmko{color:#242424;font-size:1.6rem;position:relative;}/*!sc*/ .dCgmko.dCgmko{border:0;}/*!sc*/ .dCgmko::after{position:absolute;top:-4rem;right:-2rem;width:11rem;text-align:center;opacity:0;-webkit-transition:opacity 0.15s ease-in-out;transition:opacity 0.15s ease-in-out;display:block;font-size:1.1rem;padding:0.1rem;background:#f9f9fb;border:0.1rem solid #cdd2d4;border-radius:0.3rem;margin:0;box-shadow:0 0.1rem 1.2rem rgba(0,0,0,0.1);color:#242424;content:'Share on Facebook';}/*!sc*/ .dCgmko:hover::after{opacity:1;}/*!sc*/ @media screen and (min-width:900px){.dCgmko{font-size:2rem;}}/*!sc*/ data-styled.g89[id="nlufiy-3"]{content:"jFCgAB,jRHWVS,dCgmko,"}/*!sc*/ .ePxsiZ{width:25rem;height:16.4rem;background-size:cover;}/*!sc*/ data-styled.g91[id="sc-1ktgc0z-0"]{content:"ePxsiZ,"}/*!sc*/ .btYtMQ{padding-left:3.2rem;padding-right:4.4rem;padding-top:2.4rem;font-weight:900;line-height:2.2rem;color:#fff;text-transform:capitalize;font-size:1.6rem;margin-bottom:3.2rem;}/*!sc*/ data-styled.g92[id="sc-1ktgc0z-1"]{content:"btYtMQ,"}/*!sc*/ .bEaAFf{background:linear-gradient(90deg,#b23176 0%,#cc4533 97.35%);border-radius:0.4rem;color:#fff;font-size:1.3rem;font-weight:500;bottom:1.8rem;width:15rem;text-transform:none;margin-left:3.2rem;margin-top:1.8rem;line-height:2.4rem;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;display:block;text-align:center;padding:0.8rem 1.6rem;}/*!sc*/ .bEaAFf:hover{background-color:#ca3f12;border-color:#a93510;color:#fff;-webkit-text-decoration:none;text-decoration:none;-webkit-transition:background-color 0.2s ease;transition:background-color 0.2s ease;}/*!sc*/ data-styled.g93[id="sc-1ktgc0z-2"]{content:"bEaAFf,"}/*!sc*/ .cKsdik{background:#000;}/*!sc*/ data-styled.g100[id="jf943f-0"]{content:"cKsdik,"}/*!sc*/ .dUQsAt{background:linear-gradient(90deg,#000000 0.47%,rgba(0,0,0,0) 99.55%);height:16.4rem;position:absolute;right:3.3rem;width:19.8rem;z-index:1;}/*!sc*/ data-styled.g101[id="jf943f-1"]{content:"dUQsAt,"}/*!sc*/ .eRLcbe{position:absolute;right:3.5rem;z-index:0;}/*!sc*/ data-styled.g102[id="jf943f-2"]{content:"eRLcbe,"}/*!sc*/ .gcjrtn{position:relative;z-index:2;}/*!sc*/ data-styled.g103[id="jf943f-3"]{content:"gcjrtn,"}/*!sc*/ .hXEhDR{background:#eb5424;position:relative;z-index:2;}/*!sc*/ data-styled.g105[id="jf943f-5"]{content:"hXEhDR,"}/*!sc*/ .bMXvsY{display:none;}/*!sc*/ @media screen and (min-width:900px){.bMXvsY{grid-column:1/2;display:block;}}/*!sc*/ data-styled.g106[id="sc-1y9xkzh-0"]{content:"bMXvsY,"}/*!sc*/ .hTZJuI{position:-webkit-sticky;position:sticky;top:0;padding-top:4rem;}/*!sc*/ data-styled.g107[id="sc-1y9xkzh-1"]{content:"hTZJuI,"}/*!sc*/ .iHLAoI{list-style:none;margin:0;padding:4rem 0 0 0;}/*!sc*/ data-styled.g114[id="sc-1y9xkzh-8"]{content:"iHLAoI,"}/*!sc*/ .kSDgak{border-left:0.1rem solid #d8d8d8;padding:0.6rem 0 0.6rem 1.6rem;margin:1.6rem 0;}/*!sc*/ .kSDgak:hover{border-left:0.1rem solid #242424;}/*!sc*/ .kSDgak:hover span{color:#242424;}/*!sc*/ data-styled.g115[id="sc-1y9xkzh-9"]{content:"kSDgak,"}/*!sc*/ .gUppOI{font-weight:400;font-size:1.3rem;color:#606060;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;line-height:2.4rem;display:block;}/*!sc*/ data-styled.g116[id="sc-1y9xkzh-10"]{content:"gUppOI,"}/*!sc*/ .iKGOGZ{font-weight:600;font-size:1.3rem;color:#606060;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;line-height:2.4rem;text-transform:uppercase;margin:0;display:inline;}/*!sc*/ data-styled.g117[id="sc-1y9xkzh-11"]{content:"iKGOGZ,"}/*!sc*/ .giJJK{margin-left:0.3rem;}/*!sc*/ data-styled.g118[id="sc-1y9xkzh-12"]{content:"giJJK,"}/*!sc*/ .lhZmdi{background:#fff;border-top:solid 0.1rem #cdd2d4;border-bottom:solid 0.1rem #cdd2d4;}/*!sc*/ data-styled.g130[id="afpbj5-0"]{content:"lhZmdi,"}/*!sc*/ .jUlrnr{max-width:122.6rem;margin:0 auto;padding:0 1.6rem;}/*!sc*/ data-styled.g131[id="afpbj5-1"]{content:"jUlrnr,"}/*!sc*/ .kKffdm{display:none;}/*!sc*/ @media screen and (min-width:900px){.kKffdm{margin:8rem 0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;}}/*!sc*/ data-styled.g132[id="afpbj5-2"]{content:"kKffdm,"}/*!sc*/ .fTfQKv{border-radius:50%;height:8.2rem;width:8.2rem;margin-right:2.3rem;}/*!sc*/ @media screen and (min-width:900px){.fTfQKv{height:16rem;width:16rem;margin-right:4.6rem;}}/*!sc*/ data-styled.g133[id="afpbj5-3"]{content:"fTfQKv,"}/*!sc*/ .gnZRGE{-webkit-flex-basis:100%;-ms-flex-preferred-size:100%;flex-basis:100%;}/*!sc*/ @media screen and (min-width:900px){.gnZRGE{-webkit-flex-basis:50%;-ms-flex-preferred-size:50%;flex-basis:50%;}}/*!sc*/ data-styled.g134[id="afpbj5-4"]{content:"gnZRGE,"}/*!sc*/ .hKELzO{font-weight:400;font-size:2rem;color:#000;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;margin:0;opacity:1;}/*!sc*/ @media screen and (min-width:900px){.hKELzO{font-size:3.2rem;-webkit-letter-spacing:-0.035rem;-moz-letter-spacing:-0.035rem;-ms-letter-spacing:-0.035rem;letter-spacing:-0.035rem;line-height:4rem;margin-bottom:3.2rem;}}/*!sc*/ data-styled.g135[id="afpbj5-5"]{content:"hKELzO,"}/*!sc*/ .kXpFsO{opacity:0.87;font-weight:600;font-size:1rem;color:#000;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;line-height:1.6rem;text-transform:uppercase;}/*!sc*/ @media screen and (min-width:900px){.kXpFsO{font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;line-height:2.4rem;margin:0;opacity:0.7;}}/*!sc*/ data-styled.g136[id="afpbj5-6"]{content:"kXpFsO,"}/*!sc*/ .beRytG{margin:3.8rem 0 2.3rem;font-weight:300;font-size:1.6rem;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;line-height:2.4rem;}/*!sc*/ @media screen and (min-width:900px){.beRytG{margin:0.8rem 0 1.6rem;}}/*!sc*/ .beRytG a{font-weight:700;color:#242424;}/*!sc*/ .beRytG a:hover{color:#242424;}/*!sc*/ data-styled.g137[id="afpbj5-7"]{content:"beRytG,"}/*!sc*/ .gtgUdW{font-weight:600;font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;color:#0d96c6;cursor:pointer;-webkit-text-decoration:none;text-decoration:none;text-transform:uppercase;}/*!sc*/ .gtgUdW::after{content:'';display:inline-block;width:0;height:0;border:0.55rem solid transparent;border-left:0.55rem solid #0d96c6;margin-bottom:-0.1rem;margin-left:0.55rem;}/*!sc*/ .gtgUdW:hover{color:#053b4e;-webkit-transition:color 0.25s ease-in;transition:color 0.25s ease-in;}/*!sc*/ .gtgUdW:hover::after{border-left:0.55rem solid #053b4e;-webkit-transition:border 0.25s ease-in;transition:border 0.25s ease-in;}/*!sc*/ data-styled.g138[id="afpbj5-8"]{content:"gtgUdW,"}/*!sc*/ .iDyHSd{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;padding:4.8rem 2.4rem;}/*!sc*/ @media screen and (min-width:900px){.iDyHSd{display:none;}}/*!sc*/ data-styled.g139[id="afpbj5-9"]{content:"iDyHSd,"}/*!sc*/ .iKBEzH{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ data-styled.g140[id="afpbj5-10"]{content:"iKBEzH,"}/*!sc*/ .IuaRy{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;}/*!sc*/ data-styled.g141[id="afpbj5-11"]{content:"IuaRy,"}/*!sc*/ .SwmLi{list-style:none;background:#fff;border:0.1rem solid #e3e5e7;border-radius:0.3rem;-webkit-transition:box-shadow 0.3s;transition:box-shadow 0.3s;padding:0;margin:0.8rem 0;}/*!sc*/ .SwmLi:hover{box-shadow:0 1rem 2rem 0 rgba(0,0,0,0.1);}/*!sc*/ @media screen and (min-width:900px){.SwmLi{margin:0;}}/*!sc*/ data-styled.g144[id="sc-1t3ptg8-2"]{content:"SwmLi,"}/*!sc*/ .hZxZfg,.hZxZfg:hover{color:#242424;}/*!sc*/ data-styled.g146[id="sc-1t3ptg8-4"]{content:"hZxZfg,"}/*!sc*/ .kDCiDB{background-image:url(https://images.ctfassets.net/23aumh6u8s0i/QBpn5KpUDKvP0FR7BXiDw/29b2675c21584586cc11705cd9543ccb/open-id-connect);background-size:cover;background-position:0% 50%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin:0;height:10.4rem;}/*!sc*/ @media screen and (min-width:900px){.kDCiDB{height:25.6rem;}}/*!sc*/ .krYDLk{background-image:url(https://images.ctfassets.net/23aumh6u8s0i/56S9oDWKVeNY8AIszkZvw1/7d6794f3d31d4eedb5a3d3699e796e5c/default);background-size:cover;background-position:0% 50%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin:0;height:10.4rem;}/*!sc*/ @media screen and (min-width:900px){.krYDLk{height:25.6rem;}}/*!sc*/ .gvllkx{background-image:url(https://images.ctfassets.net/23aumh6u8s0i/3LicB7o8n7rtwGu6Sfyncy/53bf56ecd9f99f2fecbace9923585228/authentication-tokens);background-size:cover;background-position:0% 50%;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin:0;height:10.4rem;}/*!sc*/ @media screen and (min-width:900px){.gvllkx{height:25.6rem;}}/*!sc*/ data-styled.g147[id="sc-1t3ptg8-5"]{content:"kDCiDB,krYDLk,gvllkx,"}/*!sc*/ .edDGSP{background:#fff;padding:2.4rem;}/*!sc*/ @media screen and (min-width:900px){.edDGSP{padding:4rem;}}/*!sc*/ data-styled.g148[id="sc-1t3ptg8-6"]{content:"edDGSP,"}/*!sc*/ .cCvXbi{font-weight:600;font-size:1rem;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;text-transform:uppercase;margin:0;padding:0 0 0.8rem;color:#49AC6F;}/*!sc*/ @media screen and (min-width:900px){.cCvXbi{font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;}}/*!sc*/ data-styled.g149[id="sc-1t3ptg8-7"]{content:"cCvXbi,"}/*!sc*/ .jVGonE{font-weight:600;font-size:1.6rem;-webkit-letter-spacing:0.035rem;-moz-letter-spacing:0.035rem;-ms-letter-spacing:0.035rem;letter-spacing:0.035rem;line-height:2.4rem;opacity:1;margin:0;}/*!sc*/ @media screen and (min-width:900px){.jVGonE{font-size:2.4rem;-webkit-letter-spacing:-0.02rem;-moz-letter-spacing:-0.02rem;-ms-letter-spacing:-0.02rem;letter-spacing:-0.02rem;line-height:3.2rem;}}/*!sc*/ data-styled.g150[id="sc-1t3ptg8-8"]{content:"jVGonE,"}/*!sc*/ .cUeJxc{background:#f9f9fb;padding:8rem 0 0;}/*!sc*/ data-styled.g167[id="eb4tqf-0"]{content:"cUeJxc,"}/*!sc*/ .eeCWwh{max-width:122.6rem;margin:0 auto;padding:0 1.6rem;}/*!sc*/ data-styled.g168[id="eb4tqf-1"]{content:"eeCWwh,"}/*!sc*/ .eHrQny{opacity:0.7;font-weight:500;font-size:2rem;color:#606060;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;margin:0 0 2.4rem 0;}/*!sc*/ data-styled.g169[id="eb4tqf-2"]{content:"eHrQny,"}/*!sc*/ .eRFpcL{margin:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;padding:0 0 4rem;list-style-type:none;}/*!sc*/ @media screen and (min-width:900px){.eRFpcL{padding:0;display:grid;grid-template-columns:repeat(3,1fr);grid-column-gap:2.4rem;grid-row-gap:2.4rem;}}/*!sc*/ data-styled.g170[id="eb4tqf-3"]{content:"eRFpcL,"}/*!sc*/ .wgbeZ{background:#f9f9fb;padding:4rem 0 4.8rem;}/*!sc*/ @media screen and (min-width:900px){.wgbeZ{padding:4rem 0 8rem;}}/*!sc*/ data-styled.g171[id="fr3dgj-0"]{content:"wgbeZ,"}/*!sc*/ .dGWFvT{max-width:122.6rem;margin:0 auto;padding:0 1.6rem;}/*!sc*/ data-styled.g172[id="fr3dgj-1"]{content:"dGWFvT,"}/*!sc*/ .ejdPpM{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;}/*!sc*/ data-styled.g173[id="fr3dgj-2"]{content:"ejdPpM,"}/*!sc*/ .ftCbBx{opacity:0.7;font-weight:500;font-size:2rem;color:#606060;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.2rem;margin:0 0 2.4rem;}/*!sc*/ data-styled.g174[id="fr3dgj-3"]{content:"ftCbBx,"}/*!sc*/ .fJKZGu{cursor:pointer;}/*!sc*/ data-styled.g175[id="fr3dgj-4"]{content:"fJKZGu,"}/*!sc*/ .iGOHXJ{font-weight:300;font-size:1.6rem;color:#242424;-webkit-letter-spacing:0.01rem;-moz-letter-spacing:0.01rem;-ms-letter-spacing:0.01rem;letter-spacing:0.01rem;text-align:left;line-height:2.4rem;margin-bottom:3.2rem;}/*!sc*/ data-styled.g178[id="fr3dgj-7"]{content:"iGOHXJ,"}/*!sc*/ .ddqoCH{color:#242424;border-bottom:0.1rem solid #eb5424;}/*!sc*/ data-styled.g181[id="fr3dgj-10"]{content:"ddqoCH,"}/*!sc*/ .gBETVu{font-weight:500;}/*!sc*/ data-styled.g182[id="fr3dgj-11"]{content:"gBETVu,"}/*!sc*/ .kEXVJZ{background:#fff;padding:0 0 4.8rem;}/*!sc*/ @media screen and (min-width:900px){.kEXVJZ{padding:8rem 0;}}/*!sc*/ data-styled.g184[id="v0njjd-0"]{content:"kEXVJZ,"}/*!sc*/ .dHwRRo{max-width:122.6rem;margin:0 auto;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;padding:0 2.4rem;}/*!sc*/ @media screen and (min-width:900px){.dHwRRo{padding:8rem 0.6rem 0;display:grid;grid-template-columns:32.8rem 5rem 2fr;grid-template-rows:repeat(2,auto);}}/*!sc*/ data-styled.g185[id="v0njjd-1"]{content:"dHwRRo,"}/*!sc*/ .eOJQKq{display:block;}/*!sc*/ data-styled.g186[id="v0njjd-2"]{content:"eOJQKq,"}/*!sc*/ .jHZpuz{position:-webkit-sticky;position:sticky;top:0;background:#242424;z-index:999;}/*!sc*/ .jHZpuz.hide-blog-nav{display:none;}/*!sc*/ @media screen and (min-width:900px){.jHZpuz.hide-blog-nav{display:block;}}/*!sc*/ data-styled.g203[id="qfu855-0"]{content:"jHZpuz,"}/*!sc*/ .cohnnM{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;margin:0 auto;padding:0 1.6rem 0 1rem;height:6rem;}/*!sc*/ @media screen and (min-width:900px){.cohnnM{max-width:144rem;padding:0 1.6rem;margin:0 auto;height:8rem;}}/*!sc*/ data-styled.g204[id="qfu855-1"]{content:"cohnnM,"}/*!sc*/ .hReZRI{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-transform:scale(0.9);-ms-transform:scale(0.9);transform:scale(0.9);}/*!sc*/ @media screen and (min-width:900px){.hReZRI{-webkit-transform:none;-ms-transform:none;transform:none;}}/*!sc*/ data-styled.g205[id="qfu855-2"]{content:"hReZRI,"}/*!sc*/ .BbhZl{color:#242424;-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ .BbhZl:hover{opacity:0.8;}/*!sc*/ data-styled.g206[id="qfu855-3"]{content:"BbhZl,"}/*!sc*/ .fyvoSS{display:none;list-style:none;padding:0;margin:0;}/*!sc*/ @media screen and (min-width:1200px){.fyvoSS{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:space-evenly;-webkit-justify-content:space-evenly;-ms-flex-pack:space-evenly;justify-content:space-evenly;}}/*!sc*/ data-styled.g207[id="qfu855-4"]{content:"fyvoSS,"}/*!sc*/ .dQKcqD{padding:0 1rem;}/*!sc*/ @media screen and (min-width:900px){.dQKcqD{padding:0 1.6rem;}}/*!sc*/ data-styled.g208[id="qfu855-5"]{content:"dQKcqD,"}/*!sc*/ .fQFuzE{font-size:1.5rem;color:#cdd2d4;line-height:2.4rem;font-weight:400;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;}/*!sc*/ .fQFuzE:hover{color:white;}/*!sc*/ data-styled.g209[id="qfu855-6"]{content:"fQFuzE,"}/*!sc*/ .hVUOsD{display:none;}/*!sc*/ @media screen and (min-width:900px){.hVUOsD{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:space-evenly;-webkit-justify-content:space-evenly;-ms-flex-pack:space-evenly;justify-content:space-evenly;}}/*!sc*/ data-styled.g210[id="qfu855-7"]{content:"hVUOsD,"}/*!sc*/ .bMXPDE{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (min-width:900px){.bMXPDE{display:none;}}/*!sc*/ data-styled.g211[id="qfu855-8"]{content:"bMXPDE,"}/*!sc*/ .fzCeRu{font-weight:600;font-size:1.4rem;color:#fff;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;text-transform:uppercase;background:transparent;border:0.1rem solid #cdd2d4;padding:1.2rem;line-height:3.2rem;border-radius:0.3rem;}/*!sc*/ .fzCeRu:hover{border:0.1rem solid #fff;color:#fff;}/*!sc*/ @media screen and (min-width:900px){.fzCeRu{font-weight:400;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;color:#CDD2D4;text-transform:none;padding:0 1.6rem;}}/*!sc*/ data-styled.g212[id="qfu855-9"]{content:"fzCeRu,"}/*!sc*/ .kjKZJW{margin-bottom:0.8rem;font-weight:600;font-size:1.4rem;color:#fff;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;text-transform:uppercase;background-color:#eb5424;border:0.1rem solid #eb5424;padding:1.2rem;line-height:3.2rem;border-radius:0.3rem;}/*!sc*/ .kjKZJW:hover{cursor:pointer;color:#fff;background-color:#d94514;}/*!sc*/ @media screen and (min-width:900px){.kjKZJW{margin-left:1.6rem;margin-bottom:0;font-size:1.1rem;-webkit-letter-spacing:0.092rem;-moz-letter-spacing:0.092rem;-ms-letter-spacing:0.092rem;letter-spacing:0.092rem;padding:0 1.6rem;}}/*!sc*/ data-styled.g213[id="qfu855-10"]{content:"kjKZJW,"}/*!sc*/ .bUpImh{display:none;width:2.6rem;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;cursor:pointer;opacity:0.8;margin-left:2.4rem;}/*!sc*/ .bUpImh:hover{opacity:1;}/*!sc*/ @media screen and (min-width:900px){.bUpImh{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}}/*!sc*/ data-styled.g214[id="qfu855-11"]{content:"bUpImh,"}/*!sc*/ .fQdvpT{width:2.6rem;cursor:pointer;opacity:0.8;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (min-width:900px){.fQdvpT{display:none;}}/*!sc*/ data-styled.g215[id="qfu855-12"]{content:"fQdvpT,"}/*!sc*/ .ggbIzm{display:none;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ data-styled.g216[id="qfu855-13"]{content:"ggbIzm,"}/*!sc*/ .cOJQfD{margin-left:2rem;cursor:pointer;opacity:0.8;}/*!sc*/ data-styled.g217[id="qfu855-14"]{content:"cOJQfD,"}/*!sc*/ .huIner{visibility:hidden;z-index:1;position:absolute;background:#242424;width:100%;height:100%;display:block;overflow-y:scroll;overflow-x:hidden;}/*!sc*/ data-styled.g218[id="qfu855-15"]{content:"huIner,"}/*!sc*/ .dPBwKt{list-style:none;padding:0;margin:3rem 2.4rem;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ data-styled.g219[id="qfu855-16"]{content:"dPBwKt,"}/*!sc*/ .hdfvqY{padding:2.5rem 0 0;}/*!sc*/ data-styled.g220[id="qfu855-17"]{content:"hdfvqY,"}/*!sc*/ .gINsin{color:#fff;font-weight:500;font-size:2.5rem;text-align:center;line-height:3.75rem;}/*!sc*/ .gINsin:hover{color:#fff;}/*!sc*/ data-styled.g221[id="qfu855-18"]{content:"gINsin,"}/*!sc*/ .jWrqOS{padding:6rem 0 0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;width:100%;}/*!sc*/ data-styled.g222[id="qfu855-19"]{content:"jWrqOS,"}/*!sc*/ .qqefI{margin-bottom:0.8rem;font-weight:600;font-size:1.4rem;color:#fff;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;text-transform:uppercase;background:#eb5424;border:0.1rem solid #eb5424;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;line-height:3.2rem;padding:1.2rem 0;border-radius:0.3rem;}/*!sc*/ .qqefI:hover{color:#fff;background:#d94514;border:0.1rem solid #d94514;cursor:pointer;}/*!sc*/ data-styled.g223[id="qfu855-20"]{content:"qqefI,"}/*!sc*/ .hkSJcp{font-weight:600;font-size:1.4rem;color:#fff;-webkit-letter-spacing:0.1rem;-moz-letter-spacing:0.1rem;-ms-letter-spacing:0.1rem;letter-spacing:0.1rem;text-transform:uppercase;background:transparent;border:0.1rem solid #cdd2d4;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;line-height:3.2rem;padding:1.2rem 0;border-radius:0.3rem;}/*!sc*/ .hkSJcp:hover{border-color:#fff;color:#fff;}/*!sc*/ data-styled.g224[id="qfu855-21"]{content:"hkSJcp,"}/*!sc*/ .eJSREB{background-image:url('https://cdn.auth0.com/website/marketplace-header-bg.png');background-size:cover;background-position:bottom;font-weight:800;text-align:center;top:0;height:5rem;max-height:5rem;color:#fff;font-size:1.7rem;position:relative;overflow:hidden;padding-top:0.8rem;display:none;}/*!sc*/ @media screen and (min-width:900px){.eJSREB{display:block;}}/*!sc*/ data-styled.g225[id="lwvj4y-0"]{content:"eJSREB,"}/*!sc*/ .gIKTKh{float:right;padding:0.4rem 2rem 0 0;height:3rem;width:3.8rem;}/*!sc*/ .gIKTKh:hover{cursor:pointer;}/*!sc*/ data-styled.g228[id="lwvj4y-3"]{content:"gIKTKh,"}/*!sc*/ .fpXLVz{position:fixed;top:0;left:0;background:#eb5424;height:0.5rem;-webkit-transition:all 0.2s ease-in-out;transition:all 0.2s ease-in-out;z-index:99999;}/*!sc*/ data-styled.g237[id="u5ztjm-0"]{content:"fpXLVz,"}/*!sc*/ .kFxyKJ{background-color:#fff;}/*!sc*/ data-styled.g238[id="sc-1cjm8t9-0"]{content:"kFxyKJ,"}/*!sc*/ .hCUaZa{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;border-bottom:solid 0.1rem #cdd2d4;border-top:solid 0.1rem #cdd2d4;padding:4rem 2.5rem;}/*!sc*/ @media screen and (min-width:900px){.hCUaZa{-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;padding:8rem 0;-webkit-box-pack:space-around;-webkit-justify-content:space-around;-ms-flex-pack:space-around;justify-content:space-around;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}}/*!sc*/ data-styled.g239[id="sc-1cjm8t9-1"]{content:"hCUaZa,"}/*!sc*/ .jqjLnD{font-weight:300;font-size:2.4rem;color:#242424;-webkit-letter-spacing:0.02rem;-moz-letter-spacing:0.02rem;-ms-letter-spacing:0.02rem;letter-spacing:0.02rem;line-height:3.6rem;margin-top:0;}/*!sc*/ @media screen and (min-width:900px){.jqjLnD{font-size:3.2rem;-webkit-letter-spacing:0.015rem;-moz-letter-spacing:0.015rem;-ms-letter-spacing:0.015rem;letter-spacing:0.015rem;line-height:4rem;font-weight:400;}}/*!sc*/ data-styled.g241[id="sc-1cjm8t9-3"]{content:"jqjLnD,"}/*!sc*/ .dyFOzi{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;}/*!sc*/ @media screen and (min-width:900px){.dyFOzi{-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;}}/*!sc*/ data-styled.g242[id="sc-1cjm8t9-4"]{content:"dyFOzi,"}/*!sc*/ .eYcLwW{padding:0.6rem 2.4rem;text-transform:uppercase;font-weight:600;font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;cursor:pointer;border-radius:0.3rem;text-align:center;margin-bottom:0.8rem;line-height:3.2rem;}/*!sc*/ @media screen and (min-width:900px){.eYcLwW{-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;margin-bottom:0;}}/*!sc*/ data-styled.g243[id="sc-1cjm8t9-5"]{content:"eYcLwW,"}/*!sc*/ .jLIrRp{padding:0.6rem 2.4rem;text-transform:uppercase;font-weight:600;font-size:1.3rem;-webkit-letter-spacing:0.135rem;-moz-letter-spacing:0.135rem;-ms-letter-spacing:0.135rem;letter-spacing:0.135rem;cursor:pointer;border-radius:0.3rem;text-align:center;margin-bottom:0.8rem;line-height:3.2rem;color:#ffffff;background:#eb5424;border:0.1rem solid #eb5424;}/*!sc*/ @media screen and (min-width:900px){.jLIrRp{-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;margin-bottom:0;}}/*!sc*/ .jLIrRp:hover{background:#d94514;color:#ffffff;border:0.1rem solid #d94514;}/*!sc*/ data-styled.g244[id="sc-1cjm8t9-6"]{content:"jLIrRp,"}/*!sc*/ .iMBUpK{color:#242424;background:transparent;border:0.1rem solid #606060;}/*!sc*/ .iMBUpK:hover{border:0.1rem solid #242424;}/*!sc*/ @media screen and (min-width:900px){.iMBUpK{margin-left:2.4rem;}}/*!sc*/ data-styled.g245[id="sc-1cjm8t9-7"]{content:"iMBUpK,"}/*!sc*/ .cKkxOM{background:#f9f9fb;}/*!sc*/ data-styled.g246[id="se2h2f-0"]{content:"cKkxOM,"}/*!sc*/ .dVGqDZ{padding:4rem 0 0;}/*!sc*/ data-styled.g247[id="se2h2f-1"]{content:"dVGqDZ,"}/*!sc*/ .eRDypO{max-width:122.6rem;margin:0 auto;padding:0 1.6rem;}/*!sc*/ data-styled.g248[id="se2h2f-2"]{content:"eRDypO,"}/*!sc*/ .daVBxX{display:grid;grid-template-columns:repeat(2,1fr);grid-template-rows:auto;grid-row-gap:4rem;list-style:none;padding:0;margin:0;justify-items:flex-start;}/*!sc*/ @media screen and (min-width:900px){.daVBxX{grid-template-columns:repeat(4,1fr);}}/*!sc*/ data-styled.g249[id="se2h2f-3"]{content:"daVBxX,"}/*!sc*/ @media screen and (min-width:900px){.frYIIS:first-child{grid-column:1/2;}.frYIIS:nth-child(2){grid-column:2/3;}.frYIIS:nth-child(3){grid-column:3/4;}.frYIIS:nth-child(4){grid-column:4/5;}}/*!sc*/ data-styled.g250[id="se2h2f-4"]{content:"frYIIS,"}/*!sc*/ .hYwhOd{font-weight:600;font-size:1.1rem;color:#a5a8a8;opacity:0.7;-webkit-letter-spacing:0.092rem;-moz-letter-spacing:0.092rem;-ms-letter-spacing:0.092rem;letter-spacing:0.092rem;line-height:1.6rem;text-transform:uppercase;margin:0 0 1.5rem 0;}/*!sc*/ data-styled.g251[id="se2h2f-5"]{content:"hYwhOd,"}/*!sc*/ .pJMTk{font-weight:300;font-size:1.3rem;color:#242424;-webkit-letter-spacing:0.008rem;-moz-letter-spacing:0.008rem;-ms-letter-spacing:0.008rem;letter-spacing:0.008rem;text-align:left;line-height:2.4rem;margin:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;gap:0.4rem;}/*!sc*/ @media screen and (min-width:900px){.pJMTk{font-weight:400;font-size:1.5rem;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;line-height:3.2rem;gap:0.8rem;}}/*!sc*/ data-styled.g252[id="se2h2f-6"]{content:"pJMTk,"}/*!sc*/ .kfPipf{color:#242424;}/*!sc*/ .kfPipf:hover{color:#242424;opacity:0.7;}/*!sc*/ data-styled.g253[id="se2h2f-7"]{content:"kfPipf,"}/*!sc*/ .gplNEi{border-bottom:0.1rem solid #cdd2d4;margin-top:3.2rem;width:100vw;margin-left:-1.6rem;}/*!sc*/ @media screen and (min-width:900px){.gplNEi{display:none;}}/*!sc*/ data-styled.g254[id="se2h2f-8"]{content:"gplNEi,"}/*!sc*/ .gBMQRB{margin:3.2rem 0 0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ @media screen and (min-width:900px){.gBMQRB{margin:8rem 0 0;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;-webkit-align-items:baseline;-webkit-box-align:baseline;-ms-flex-align:baseline;align-items:baseline;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;}}/*!sc*/ data-styled.g255[id="se2h2f-9"]{content:"gBMQRB,"}/*!sc*/ .dHEfNl{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;margin:0 0 1.6rem;list-style:none;padding:0;}/*!sc*/ data-styled.g256[id="se2h2f-10"]{content:"dHEfNl,"}/*!sc*/ .gKhDpQ{padding:0 1.6rem 0;opacity:0.4;}/*!sc*/ .gKhDpQ:first-child{padding:0 1.6rem 0 0;}/*!sc*/ .gKhDpQ:hover{opacity:0.7;}/*!sc*/ data-styled.g257[id="se2h2f-11"]{content:"gKhDpQ,"}/*!sc*/ .gXAHYn{color:#242424;}/*!sc*/ .gXAHYn:hover{color:#242424;}/*!sc*/ data-styled.g258[id="se2h2f-12"]{content:"gXAHYn,"}/*!sc*/ .eYYtIj{font-weight:400;font-size:1.5rem;color:#606060;-webkit-letter-spacing:0;-moz-letter-spacing:0;-ms-letter-spacing:0;letter-spacing:0;line-height:2.4rem;text-align:center;margin-bottom:3.2rem;}/*!sc*/ @media screen and (min-width:900px){.eYYtIj{font-size:1.3rem;text-align:right;}}/*!sc*/ data-styled.g259[id="se2h2f-13"]{content:"eYYtIj,"}/*!sc*/ .kUlUxE{display:none;margin-left:0.8rem;}/*!sc*/ @media screen and (min-width:900px){.kUlUxE{display:inline-block;}}/*!sc*/ data-styled.g260[id="se2h2f-14"]{content:"kUlUxE,"}/*!sc*/ .VdjZw{width:1.958rem;height:2rem;}/*!sc*/ data-styled.g261[id="se2h2f-15"]{content:"VdjZw,"}/*!sc*/ .biwoHT{width:1.77rem;height:2rem;}/*!sc*/ data-styled.g262[id="se2h2f-16"]{content:"biwoHT,"}/*!sc*/ .ekZMky{width:2.02rem;height:2rem;}/*!sc*/ data-styled.g263[id="se2h2f-17"]{content:"ekZMky,"}/*!sc*/ .gWGPDF{height:1.4rem;}/*!sc*/ @media screen and (min-width:900px){.gWGPDF{height:1.8rem;}}/*!sc*/ data-styled.g264[id="se2h2f-18"]{content:"gWGPDF,"}/*!sc*/ </style></head><body itemscope="" itemType="http://schema.org/WebPage"><div id="__next"><script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charSet="UTF-8" data-domain-script="96e22fd8-d619-4cdd-a3c6-d51529d21faf" id="consent-script"></script><script> function OptanonWrapper() { const status = document.getElementById("onetrust-accept-btn-handler") ? 'waitingForConsent' : 'expressedConsent'; window.top.postMessage(status, '*'); } </script><script>window.datafile=undefined</script><div style="width:0%;opacity:1" class="u5ztjm-0 fpXLVz"></div><nav id="blog-header" class="qfu855-0 jHZpuz"><div class="qfu855-1 cohnnM"><div class="qfu855-2 hReZRI"><a aria-label="Go to Auth0 by Okta blog homepage" href="/blog/" class="qfu855-3 BbhZl"><svg fill="none" height="32" width="154" xmlns="http://www.w3.org/2000/svg"><g fill="#fff"><path d="M33.514 14.084l4.135-10.857h1.594l4.12 10.857h-1.44l-1.145-2.93h-4.723l-1.145 2.93zm6.858-4.156L38.405 4.7l-1.952 5.228zM49.343 6.174h1.271v7.91h-1.1l-.17-1.054c-.465.589-1.223 1.148-2.524 1.148-1.735 0-3.113-.977-3.113-3.6V6.174h1.271V10.5c0 1.644.742 2.513 2.059 2.513 1.439 0 2.306-1.101 2.306-2.885zM51.22 7.336V6.173h1.426V3.956h1.27v2.217h2.046v1.163h-2.045v4.67c0 .665.232.914.913.914h1.255v1.163h-1.378c-1.516 0-2.058-.666-2.058-2.062V7.336zM63.854 9.677v4.404h-1.271V9.754c0-1.644-.79-2.513-2.152-2.513-1.471 0-2.384 1.102-2.384 2.885v3.955h-1.27V3.227h1.27v4.25c.465-.744 1.27-1.397 2.6-1.397 1.765 0 3.204.976 3.204 3.6zM64.737 8.406c0-3.086 1.672-5.273 4.12-5.273 2.448 0 4.103 2.187 4.103 5.273v.497c0 3.242-1.67 5.274-4.103 5.274s-4.12-2.032-4.12-5.274zm6.907.046c0-2.576-1.116-4.127-2.787-4.127s-2.803 1.551-2.803 4.127v.403c0 2.576 1.116 4.127 2.803 4.127 1.687 0 2.787-1.551 2.787-4.127zM41.982 24.917c0 2.42-1.61 4.049-3.793 4.049-1.333 0-2.23-.543-2.71-1.302l-.171 1.208h-1.1V18.015h1.27v4.22c.527-.73 1.378-1.364 2.71-1.364 2.184 0 3.794 1.474 3.794 4.049zm-1.3 0c0-1.722-1.052-2.915-2.616-2.915-1.565 0-2.6 1.196-2.6 2.886s1.051 2.947 2.6 2.947c1.548 0 2.616-1.196 2.616-2.915zM41.934 20.961h1.348l2.433 6.314 2.354-6.314h1.349l-3.64 9.245c-.496 1.273-.79 1.768-1.903 1.768H42.36V30.81h1.129c.729 0 .852-.188 1.145-.931l.387-.963-3.08-7.956zM58.906 28.962c-3.052 0-5.171-2.327-5.171-5.522s2.122-5.522 5.171-5.522c3.049 0 5.171 2.326 5.171 5.522s-2.122 5.522-5.171 5.522zm0-1.24c2.261 0 3.794-1.785 3.794-4.282s-1.533-4.282-3.794-4.282-3.794 1.784-3.794 4.282 1.533 4.281 3.794 4.281zM65.055 18.015h1.27v7.15l3.965-4.203h1.565l-3.081 3.273 3.297 4.637H70.54l-2.617-3.722-1.594 1.644v2.078h-1.27V18.015zM72.175 22.125V20.96h1.426v-2.216h1.27v2.216h2.046v1.164h-2.045v4.669c0 .666.232.914.913.914h1.254v1.164h-1.377c-1.517 0-2.059-.666-2.059-2.062v-4.685zM85.191 27.708v1.164h-.697c-1.052 0-1.41-.45-1.425-1.225-.497.714-1.285 1.318-2.649 1.318-1.735 0-2.91-.869-2.91-2.31 0-1.583 1.1-2.466 3.174-2.466h2.323v-.543c0-1.024-.729-1.644-1.968-1.644-1.116 0-1.858.526-2.013 1.334h-1.27c.187-1.551 1.439-2.466 3.345-2.466 2.013 0 3.174 1.009 3.174 2.854v3.458c0 .42.155.526.51.526zm-4.63-2.45c-1.129 0-1.764.42-1.764 1.32 0 .775.665 1.302 1.72 1.302 1.58 0 2.493-.915 2.493-2.233v-.388zM1.686 13.891c5.237-.864 9.342-5.2 10.202-10.445l.289-2.521c.071-.401-.2-.96-.706-.919-3.957.31-7.691 1.617-9.768 2.467A2.744 2.744 0 000 5.014v8.225c0 .486.437.858.917.781l.769-.126zM14.414 3.446c.863 5.246 4.969 9.581 10.203 10.445l.769.126a.79.79 0 00.917-.78V5.01a2.744 2.744 0 00-1.703-2.54C22.52 1.616 18.789.311 14.832.002c-.509-.04-.769.524-.709.919l.289 2.521zM24.613 16.195c-7.157 1.414-10.48 6.179-10.48 15.2 0 .452.449.766.826.514 3.291-2.223 10.534-8.027 11.28-15.287.028-.913-1.112-.484-1.626-.427zM1.688 16.195c7.157 1.414 10.48 6.179 10.48 15.2 0 .452-.448.766-.826.514C8.052 29.686.808 23.882.062 16.622c-.028-.913 1.112-.484 1.626-.427z"></path><path clip-rule="evenodd" d="M97.525 32V0h.56v32z" fill-rule="evenodd"></path><path d="M112.114 24.129V7.647h5.627c3.32 0 5.157 1.625 5.157 4.238 0 2.002-1.13 3.25-2.967 3.72 2.19.33 3.72 1.578 3.72 3.933 0 2.849-1.977 4.591-5.815 4.591zm5.675-15.328h-4.404v6.333h4.404c2.448 0 3.838-1.2 3.838-3.178 0-1.955-1.366-3.155-3.838-3.155zm.047 7.487h-4.451v6.687h4.451c2.966 0 4.497-1.295 4.497-3.367 0-2.166-1.648-3.32-4.497-3.32zM125.64 24.129V7.647h1.201v16.482zM134.467 24.27c-3.367 0-5.722-2.496-5.722-6.122 0-3.602 2.355-6.098 5.722-6.098s5.745 2.496 5.745 6.098c0 3.626-2.378 6.122-5.745 6.122zm0-1.083c2.661 0 4.497-2.072 4.497-5.039 0-2.943-1.836-5.039-4.497-5.039s-4.497 2.096-4.497 5.04c0 2.966 1.836 5.038 4.497 5.038zM151.852 14.97l.188-2.779h1.036V23.4c0 3.744-1.813 5.58-5.674 5.58-2.896 0-4.945-1.365-5.322-3.908h1.248c.377 1.813 1.931 2.825 4.168 2.825 2.873 0 4.379-1.365 4.379-4.544v-2.12c-.753 1.861-2.331 3.038-4.567 3.038-3.273 0-5.628-2.354-5.628-6.122 0-3.626 2.355-6.098 5.628-6.098 2.213 0 3.814 1.154 4.544 2.92zm-4.45 8.217c2.66 0 4.497-2.072 4.497-5.015 0-2.99-1.837-5.063-4.497-5.063-2.661 0-4.498 2.073-4.498 5.04s1.837 5.038 4.498 5.038z"></path></g></svg></a></div><ul class="qfu855-4 fyvoSS"><li class="qfu855-5 dQKcqD"><a href="/blog/developers/" class="qfu855-6 fQFuzE">Developers</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/identity-and-security/" class="qfu855-6 fQFuzE">Identity &amp; Security</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/business/" class="qfu855-6 fQFuzE">Business</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/leadership/" class="qfu855-6 fQFuzE">Leadership</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/culture/" class="qfu855-6 fQFuzE">Culture</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/engineering/" class="qfu855-6 fQFuzE">Engineering</a></li><li class="qfu855-5 dQKcqD"><a href="/blog/announcements/" class="qfu855-6 fQFuzE">Announcements</a></li></ul><div class="qfu855-7 hVUOsD"><button class="qfu855-9 fzCeRu">Talk To Sales</button><a href="https://a0.to/blog_signup_header" class="qfu855-10 kjKZJW">Sign Up</a><div class="qfu855-11 bUpImh"><img src="https://cdn.auth0.com/website/blog-new/search-icon-desktop.svg" alt="search icon" class="qfu855-13 ggbIzm"/></div></div><div class="qfu855-8 bMXPDE"><div class="qfu855-12 fQdvpT"><img src="https://cdn.auth0.com/website/blog-new/search-icon-mobile.svg" alt="search icon" class="qfu855-13 ggbIzm"/></div><img src="https://cdn.auth0.com/website/blog-new/hamburger-menu.svg" alt="hamburger menu icon" class="qfu855-14 cOJQfD"/></div></div></nav><div class="lwvj4y-0 eJSREB"><img src="https://cdn.auth0.com/website/blog-new/close-button-desktop.svg" alt="close icon" class="lwvj4y-3 gIKTKh"/></div><div class="qfu855-15 huIner"><ul class="qfu855-16 dPBwKt"><li class="qfu855-17 hdfvqY"><a href="/blog/developers/" class="qfu855-18 gINsin">Developers</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/identity-and-security/" class="qfu855-18 gINsin">Identity &amp; Security</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/business/" class="qfu855-18 gINsin">Business</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/leadership/" class="qfu855-18 gINsin">Leadership</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/culture/" class="qfu855-18 gINsin">Culture</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/engineering/" class="qfu855-18 gINsin">Engineering</a></li><li class="qfu855-17 hdfvqY"><a href="/blog/announcements/" class="qfu855-18 gINsin">Announcements</a></li><li class="qfu855-19 jWrqOS"><a href="/signup?&amp;signUpData=%7B%22category%22%3A%22button%22%7D" class="qfu855-20 qqefI">Try Auth0 For Free</a><button class="qfu855-21 hkSJcp">Talk To Sales</button></li></ul></div><div itemscope="" itemType="http://schema.org/BlogPosting" itemProp="mainEntity"><link itemProp="mainEntityOfPage" href="/blog/id-token-access-token-what-is-the-difference/"/><section class="v0njjd-0 kEXVJZ"><header class="bie152-0 dQGrL"><div class="bie152-3 hzQAvt"><div class="bie152-2 iBZoKk"><figure><img src="https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg" width="1176" height="1056" class="bie152-19 klcxrk"/></figure></div><div class="bie152-4 zWfns"><div class="bie152-5 gjPoRq"><span id="post-category" class="bie152-6 kuZGke">The Confused Developer</span><h1 itemProp="headline" class="bie152-7 dNLsmV">ID Token and Access Token: What&#x27;s the Difference?</h1><p itemProp="description" class="bie152-8 BxKyh">Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context.</p></div><div class="bie152-9 beLXWF"><div itemProp="author" itemscope="" itemType="http://schema.org/Person" class="bie152-10 kTTSlD"><a itemProp="url" href="/blog/authors/andrea-chiarelli/" class="bie152-11 SbeZk"><img width="400" height="400" src="https://images.ctfassets.net/23aumh6u8s0i/20yAvTcosk60ReBcBSlaOJ/be0d3d390368edf9cdf3d50e76207164/andrea-chiarelli" alt="Andrea Chiarelli avatar" class="bie152-12 kAjmGL"/><div class="bie152-13 coofmK"><div itemProp="name" class="bie152-14 czqHud">Andrea Chiarelli</div><div itemProp="jobTitle" class="bie152-15 fCRjyY">Principal Developer Advocate</div></div></a></div></div><p class="bie152-16 hFSvgw">Last Updated On: October 28, 2021</p><meta itemProp="datePublished" content="2021-09-23"/><meta itemProp="dateModified" content="2021-10-28"/></div><div class="bie152-1 fobSsY"><div class="bie152-17 gZejMy"><figure itemProp="image" itemscope="" itemType="http://schema.org/ImageObject" class="bie152-18 lgMHlS"><meta itemProp="url" content="https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg"/><meta itemProp="width" content="1176"/><meta itemProp="height" content="1056"/></figure></div></div></div></header><article class="v0njjd-1 dHwRRo"><aside class="sc-1y9xkzh-0 bMXvsY"><div class="sc-1y9xkzh-1 hTZJuI"><ul class="sc-1y9xkzh-8 iHLAoI"><li data-element-id="blogSidebarDocsCTA" class="sc-1y9xkzh-9 kSDgak"><a href="https://auth0.com/docs" target="_blank" rel="noopener" class="sc-1y9xkzh-10 gUppOI"><span class="sc-1y9xkzh-11 iKGOGZ">Auth0 Docs</span><span class="sc-1y9xkzh-12 giJJK"><img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg"/></span><br/><span>Implement Authentication in Minutes</span></a></li><li data-element-id="blogSidebarAdCTA" class="sc-1y9xkzh-9 kSDgak"><div class="sc-1ktgc0z-0 jf943f-0 ePxsiZ cKsdik"><div class="jf943f-1 dUQsAt"></div><img src="https://cdn.auth0.com/website/blog/oauth2-oidc-sidebar.svg" alt="" class="jf943f-2 eRLcbe"/><p class="sc-1ktgc0z-1 jf943f-3 btYtMQ gcjrtn">OAuth2 And OpenID Connect: The Professional Guide</p><a href="https://auth0.com/resources/ebooks/oauth-openid-connect-professional-guide" target="_blank" rel="noopener noreferrer" data-element-id="blog-sidebar-oauth-oidc2-cta" class="sc-1ktgc0z-2 jf943f-5 bEaAFf hXEhDR">Get the free ebook!</a></div></li></ul></div></aside><div id="post-content" itemProp="articleBody" class="nlufiy-0 jWmJon"><div><p>&quot;Let’s use a token to secure this API call. Should I use the ID token or the access token? ​🤔 The ID token looks nicer to me. After all, if I know who the user is, I can make better authorization decisions, right?&quot;</p><p>Have you ever found yourself making similar arguments? Choices based on your intuition may sound good, but what looks intuitive is not always correct. In the case of ID and access tokens, they have clear and well-defined purposes, so you should use them based on that. Using the wrong token can result in your solution being insecure.</p><p>&quot;What changes after all? They are just tokens. I can use them as I see fit. What’s the worst that could happen?&quot;</p><p>Let’s take a closer look at these two types of tokens to better understand their role in authentication and authorization processes.</p><p>If you prefer, you can also watch this video on the same topic:</p><div class="embed-container" style="position:relative;padding-bottom:56.25%;height:0;overflow:hidden;max-width:100%;margin-bottom:40px;:"><iframe style="position:absolute;top:0;left:0;width:100%;height:100%;:" src="https://www.youtube.com/embed/vVM1Tpu9QB4" frameBorder="0" allowfullscreen=""></iframe></div><h2 id="What-Is-an-ID-Token-">What Is an ID Token?</h2><p>An ID token is an artifact that proves that <strong>the user has been authenticated</strong>. It was introduced by <a href="https://openid.net/connect/" target="_blank" rel="noreferrer noopener">OpenID Connect</a> (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0. Check out <a href="https://auth0.com/docs/protocols/openid-connect-protocol" target="_blank" rel="noreferrer noopener">this document for more details on OpenID Connect</a>. Let&#x27;s take a quick look at the problem OIDC wants to resolve.</p><p>Consider the following diagram:</p><p><img src="https://images.ctfassets.net/23aumh6u8s0i/4x34jgYBU7vjBYLumNr9Sg/57e0b420de0d27568981af4aef0ab27f/id-token-scenario.png" alt="ID token scenario" class=" lightbox-image"/></p><p>Here, a user with their browser authenticates against an OpenID provider and gets access to a web application. The result of that authentication process based on OpenID Connect is the ID token, which is passed to the application as proof that the user has been authenticated.</p><p>This provides a very basic idea of what an ID token is: proof of the user&#x27;s authentication. Let’s see some other details.</p><p>An ID token is <strong>encoded as a JSON Web Token</strong> (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it. If you want to learn more about JWTs, check out <a href="https://auth0.com/resources/ebooks/jwt-handbook" target="_blank" rel="noreferrer noopener">The JWT Handbook</a>.</p><p>To put it simply, an example of ID token looks like this:</p><pre><code class="language-js">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<span class="token punctuation">.</span>eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9<span class="token punctuation">.</span>bql<span class="token operator">-</span>jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw</code></pre><p>Of course, this isn&#x27;t readable to the human eye, so you have to decode it to see what content the JWT holds. By the way, the ID token is not encrypted but just <a href="https://en.wikipedia.org/wiki/Base64" target="_blank" rel="noreferrer noopener">Base 64</a> encoded. You can use one of the <a href="https://jwt.io/#libraries-io" target="_blank" rel="noreferrer noopener">many available libraries</a> to decode it, or you can examine it yourself with the <a href="https://jwt.io/?id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw" target="_blank" rel="noreferrer noopener">jwt.io</a> debugger.</p><p>Without going deeper into the details, the relevant information carried by the ID token above looks like the following:</p><pre><code class="language-json"><span class="token punctuation">{</span> <span class="token property">"iss"</span><span class="token operator">:</span> <span class="token string">"http://my-domain.auth0.com"</span><span class="token punctuation">,</span> <span class="token property">"sub"</span><span class="token operator">:</span> <span class="token string">"auth0|123456"</span><span class="token punctuation">,</span> <span class="token property">"aud"</span><span class="token operator">:</span> <span class="token string">"1234abcdef"</span><span class="token punctuation">,</span> <span class="token property">"exp"</span><span class="token operator">:</span> <span class="token number">1311281970</span><span class="token punctuation">,</span> <span class="token property">"iat"</span><span class="token operator">:</span> <span class="token number">1311280970</span><span class="token punctuation">,</span> <span class="token property">"name"</span><span class="token operator">:</span> <span class="token string">"Jane Doe"</span><span class="token punctuation">,</span> <span class="token property">"given_name"</span><span class="token operator">:</span> <span class="token string">"Jane"</span><span class="token punctuation">,</span> <span class="token property">"family_name"</span><span class="token operator">:</span> <span class="token string">"Doe"</span> <span class="token punctuation">}</span></code></pre><p>These JSON properties are called <strong>claims</strong>, and they are <strong>declarations about the user</strong> and the token itself. The claims about the user define the user’s identity.</p><blockquote><p>Actually, the OpenID Connect specifications don&#x27;t require the ID token to have user&#x27;s claims. In its minimal structure, it has no data about the user; just info about the authentication operation.</p></blockquote><p>One important claim is the <code class="language-js">aud</code> claim. This claim defines the <strong>audience</strong> of the token, i.e., the web application that is meant to be <strong>the final recipient of the token</strong>. In the case of the ID token, its value is the client ID of the application that should consume the token.</p><blockquote><p>Remember this small detail about the audience claim because it will help you better understand what its correct use is later on.</p></blockquote><p>The ID token may have additional information about the user, such as their email address, picture, birthday, and so on.</p><p>Finally, maybe the most important thing: the ID token is signed by the issuer with its private key. This guarantees you the origin of the token and ensures that it has not been tampered with. You can verify these things by <a href="https://auth0.com/blog/how-to-explain-public-key-cryptography-digital-signatures-to-anyone/" target="_blank" rel="noreferrer noopener">using the issuer&#x27;s public key</a>.</p><p>Cool! Now you know what an ID token is. But what can you do with an ID token?</p><p>First, it demonstrates that the user has been authenticated by an entity you trust (the OpenID provider) and so <strong>you can trust the claims about their identity</strong>.</p><p>Also, your application can <strong>personalize the user’s experience</strong> by using the claims about the user that are included in the ID token. For example, you can show their name on the UI, or display a &quot;best wishes&quot; message on their birthday. The fun part is that you don’t need to make additional requests, so you may get <strong>a little gain in performance</strong> for your application.</p><h2 id="What-Is-an-Access-Token-">What Is an Access Token?</h2><p>Now that you know what an ID token is, let’s try to understand what an access token is.</p><p>Let&#x27;s start by depicting the scenario where the access token fits:</p><p><img src="https://images.ctfassets.net/23aumh6u8s0i/6bFrgMoBLfHk65ZWvenpuY/e6ee7bc645dec122d6206ba7440d41d7/access-token-scenario.png" alt="Access token scenario" class=" lightbox-image"/></p><p>In the diagram above, a <strong>client application</strong> wants to access a <strong>resource</strong>, e.g., an API or anything else which is protected from unauthorized access. The other two elements in that diagram are the user, which is the <strong>owner</strong> of the resource, and the <strong>authorization server</strong>. In this scenario, the access token is the artifact that <strong>allows the client application to access the user&#x27;s resource</strong>. It is issued by the authorization server after successfully authenticating the user and obtaining their consent.</p><p>In the <a href="https://auth0.com/docs/protocols/protocol-oauth2" target="_blank" rel="noreferrer noopener">OAuth 2</a> context, the access token <strong>allows a client application to access a specific resource to perform specific actions on behalf of the user</strong>. That is what is known as a <strong>delegated authorization scenario</strong>: the user delegates a client application to access a resource on their behalf. That means, for example, that you can authorize your LinkedIn app to access Twitter’s API on your behalf to cross-post on both social platforms. Keep in mind that you only authorize LinkedIn to publish your posts on Twitter. You don&#x27;t authorize it to delete them or change your profile’s data or do other things, too. This limitation is very important in a delegated authorization scenario and is achieved through scopes. <strong><a href="https://auth0.com/docs/scopes" target="_blank" rel="noreferrer noopener">Scopes</a></strong> are a mechanism that allows the user to authorize a third-party application to <strong>perform only specific operations</strong>.</p><p>Of course, the API receiving the access token must be sure that it actually is a valid token issued by the authorization server that it trusts and make authorization decisions based on the information associated with it. In other words, the API needs to somehow use that token in order to authorize the client application to perform the desired operation on the resource.</p><p>How the access token should be used in order to make authorization decisions depends on many factors: the overall system architecture, the token format, etc. For example, an access token could be a key that allows the API to retrieve the needed information from a database shared with the authorization server, or it can directly contain the needed information in an encoded format. This means that <strong>understanding how to retrieve the needed information to make authorization decisions is an agreement between the authorization server and the resource server</strong>, i.e., the API.</p><p><a href="https://datatracker.ietf.org/doc/html/rfc6749" target="_blank" rel="noreferrer noopener">OAuth 2 core specifications</a> say nothing about the access token format. It <strong>can be a string in any format</strong>. A common format used for access tokens is JWT, and <a href="https://datatracker.ietf.org/doc/html/rfc9068" target="_blank" rel="noreferrer noopener">a standard structure is available</a>. However, this doesn’t mean that access tokens should be in that format.</p><p>Alright! Now you know what an ID token and an access token are. 🎉 So you are ready to use them without any fear of making mistakes. But, wait. I do not see you convinced. 🤔 Maybe you need some other information. Ok. So, let’s see what these tokens are <em>not</em> suitable for.</p><h2 id="What-Is-an-ID-Token-NOT-Suitable-For-">What Is an ID Token NOT Suitable For?</h2><p>One of the most common mistakes developers make with an ID token is using it to call an API.</p><p>As said above, an ID token proves that a user has been authenticated. In a first-party scenario, i.e. in a scenario where the client and the API are both controlled by you, you may decide that your ID token is good to make authorization decisions: maybe all you need to know is the user identity.</p><p>However, even in this scenario, the security of your application, consisting of the client and the API, may be at risk. In fact, <strong>there is no mechanism that ties the ID token to the client-API channel</strong>. If an attacker manages to steal your ID token, they can use it to call your API like a legitimate client.</p><p>For the access token, on the other hand, there is <a href="https://auth0.com/blog/identity-unlocked-explained-episode-1/" target="_blank" rel="noreferrer noopener">a set of techniques, collectively known as <em>sender constraint</em></a>, that allow you to bind an access token to a specific sender. This guarantees that even if an attacker steals an access token, they can’t use it to access your API since the token is bound to the client that originally requested it.</p><p>In a delegated authorization scenario where a third-party client wants to call your API, <strong>you must not use an ID token to call the API</strong>. In addition to the lack of mechanisms to bind it to the client, there are several other reasons not to do this.</p><p>If your API accepts an ID token as an authorization token, to begin with, you are ignoring the intended recipient stated by the audience claim. That claim says that it is meant for your client application, not for the resource server (i.e., the API).</p><p>You may think this is just a formality, but <strong>there are security implications</strong> here.</p><p>First of all, among other validation checks, your API shouldn’t accept a token that is not meant for it. If it does, its security is at risk. In fact, if your API doesn&#x27;t care if a token is meant for it, an ID token stolen from any client application can be used to access your API. Of course, checking the audience is just one of <a href="https://auth0.com/docs/security/tokens/access-tokens/validate-access-tokens" target="_blank" rel="noreferrer noopener">the checks that your API should do to prevent unauthorized access</a>.</p><p>In addition, your ID token will not have granted <a href="https://auth0.com/docs/scopes" target="_blank" rel="noreferrer noopener">scopes</a> (I know, this is another pain point). As said before, scopes allow the user to restrict the operations your client application can do on their behalf. Those scopes are associated with the access token so that your API knows what the client application can do and what it can&#x27;t do. If your client application uses an ID token to call the API, you ignore this feature and potentially allow the application to perform actions that the user has not authorized.</p><h2 id="What-Is-an-Access-Token-NOT-Suitable-For-">What Is an Access Token NOT Suitable For?</h2><p>On the access token side, it was conceived to demonstrate that you are authorized to access a resource, e.g., to call an API.</p><p>Your client application should use it only for this reason. In other words, the access token <strong>should not be inspected by the client application</strong>. It is intended for the resource server, and your client application should treat access tokens as opaque strings, that is, strings with no specific meaning. Even if you know the access token format, you shouldn’t try to interpret its content in your client application. As said, the access token format is an agreement between the authorization server and the resource server, and the client application should not intrude. Think of what can happen if one day the access token format changes. If your client code was inspecting that access token, now it will break unexpectedly.</p><h2 id="A-Quick-Recap">A Quick Recap</h2><p>The confusion over the use of ID and access tokens is very common, and it can be difficult to wrap your head around the differences. Maybe it mostly derives from not having a clear understanding of the different goals of each artifact as defined by the OAuth and OpenID Connect specifications. Also, understanding the scenarios where those artifacts were originally meant to operate has an important role in preventing confusion on their use. Nevertheless, I hope this topic is a little more clear now.</p><p>To recap, here is a quick summary of what you learned about what you can and can’t do with ID and access tokens:</p><p><img src="https://images.ctfassets.net/23aumh6u8s0i/2y2MCTq87UqQ1uzCJsl4M/c6f127f738f0d13017ff47544958d880/id-token-vs-access-token.jpg" alt="ID token vs access token" class=" lightbox-image"/></p><p>If you want to see ID and access tokens in action, <a href="https://a0.to/blog_signup" data-amp-replace="CLIENT_ID" data-amp-addparams="anonId=CLIENT_ID(cid-scope-cookie-fallback-name)" target="_blank" rel="noreferrer noopener">sign up for a free Auth0 account</a> and start to add authentication and authorization to your applications in minutes with <a href="https://auth0.com/docs/libraries" target="_blank" rel="noreferrer noopener">your preferred programming language and framework</a>.</p></div><ul class="nlufiy-1 dOMuZW"><li class="nlufiy-2 fXIXML"><a href="#" class="nlufiy-3 jFCgAB"><img src="https://cdn.auth0.com/website/blog/twitter-social-button.svg" alt="Twitter icon"/></a></li><li class="nlufiy-2 fXIXML"><a href="#" class="nlufiy-3 jRHWVS"><img src="https://cdn.auth0.com/website/blog/linkedin-social-button.svg" alt="LinkedIn icon"/></a></li><li class="nlufiy-2 fXIXML"><a href="#" class="nlufiy-3 dCgmko"><img src="https://cdn.auth0.com/website/blog/facebook-social-button.svg" alt="Faceboook icon"/></a></li></ul></div></article><div itemscope="" itemType="https://schema.org/Organization" itemProp="publisher"><div itemProp="logo" itemscope="" itemType="https://schema.org/ImageObject"><meta itemProp="url" content="https://i.cloudup.com/BngR4GufYd-3000x3000.png"/><meta itemProp="width" content="100"/><meta itemProp="height" content="37"/></div><meta itemProp="name" content="Auth0"/></div></section><aside class="v0njjd-2 eOJQKq"><section itemscope="" itemType="http://schema.org/Person" itemProp="author" class="afpbj5-0 lhZmdi"><article class="afpbj5-1 jUlrnr"><div class="afpbj5-2 kKffdm"><img src="https://images.ctfassets.net/23aumh6u8s0i/20yAvTcosk60ReBcBSlaOJ/be0d3d390368edf9cdf3d50e76207164/andrea-chiarelli" width="400" height="400" alt="Andrea Chiarelli" class="afpbj5-3 fTfQKv"/><div class="afpbj5-4 gnZRGE"><h3 itemProp="name" class="afpbj5-5 hKELzO">Andrea Chiarelli</h3><p itemProp="jobTitle" class="afpbj5-6 kXpFsO">Principal Developer Advocate</p><div class="afpbj5-7 beRytG"><div><p>I have over 20 years of experience as a software engineer and technical author. Throughout my career, I&#x27;ve used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.</p><p>In the last few years, I&#x27;ve been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.</p></div></div><a href="/blog/authors/andrea-chiarelli/" class="afpbj5-8 gtgUdW">View Profile</a></div></div><div class="afpbj5-9 iDyHSd"><div class="afpbj5-4 gnZRGE"><div class="afpbj5-10 iKBEzH"><img src="https://images.ctfassets.net/23aumh6u8s0i/20yAvTcosk60ReBcBSlaOJ/be0d3d390368edf9cdf3d50e76207164/andrea-chiarelli" class="afpbj5-3 fTfQKv"/><div class="afpbj5-11 IuaRy"><h3 class="afpbj5-5 hKELzO">Andrea Chiarelli</h3><p class="afpbj5-6 kXpFsO">Principal Developer Advocate</p></div></div><div class="afpbj5-7 beRytG"><div><p>I have over 20 years of experience as a software engineer and technical author. Throughout my career, I&#x27;ve used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.</p><p>In the last few years, I&#x27;ve been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.</p></div></div><a href="/blog/authors/andrea-chiarelli/" class="afpbj5-8 gtgUdW">View Profile</a></div></div></article></section><section class="eb4tqf-0 cUeJxc"><article class="eb4tqf-1 eeCWwh"><h3 class="eb4tqf-2 eHrQny">More like this</h3><ul class="eb4tqf-3 eRFpcL"><li data-element-id="blog-bottom-recommendation" class="sc-1t3ptg8-2 SwmLi"><a href="/blog/the-openid-connect-handbook/" class="sc-1t3ptg8-4 hZxZfg"><figure class="sc-1t3ptg8-5 kDCiDB"></figure><div class="sc-1t3ptg8-6 edDGSP"><span color="49AC6F" class="sc-1t3ptg8-7 cCvXbi">OpenID Connect</span><h2 class="sc-1t3ptg8-8 jVGonE">The OpenID Connect Handbook</h2></div></a></li><li data-element-id="blog-bottom-recommendation" class="sc-1t3ptg8-2 SwmLi"><a href="/blog/json-web-token-signing-algorithms-overview/" class="sc-1t3ptg8-4 hZxZfg"><figure class="sc-1t3ptg8-5 krYDLk"></figure><div class="sc-1t3ptg8-6 edDGSP"><span color="49AC6F" class="sc-1t3ptg8-7 cCvXbi">JWT</span><h2 class="sc-1t3ptg8-8 jVGonE">JSON Web Token (JWT) Signing Algorithms Overview</h2></div></a></li><li data-element-id="blog-bottom-recommendation" class="sc-1t3ptg8-2 SwmLi"><a href="/blog/what-is-an-authentication-server/" class="sc-1t3ptg8-4 hZxZfg"><figure class="sc-1t3ptg8-5 gvllkx"></figure><div class="sc-1t3ptg8-6 edDGSP"><span color="49AC6F" class="sc-1t3ptg8-7 cCvXbi">Authentication</span><h2 class="sc-1t3ptg8-8 jVGonE">What is an Authentication Server</h2></div></a></li></ul></article></section><section class="fr3dgj-0 wgbeZ"><article class="fr3dgj-1 dGWFvT"><div class="fr3dgj-2 ejdPpM"><h3 class="fr3dgj-3 ftCbBx">Follow the conversation</h3><div class="fr3dgj-4 fJKZGu"><img src="https://cdn.auth0.com/website/blog/chevron-up.svg" alt="chevron up icon" class="fr3dgj-5 gUjlSf"/></div></div><div class="fr3dgj-6"><p class="fr3dgj-7 iGOHXJ">Powered by the Auth0 Community.<!-- --> <a href="https://community.auth0.com/signup?_ga=2.147040754.456996805.1607939208-671077045.1587410612" class="fr3dgj-10 ddqoCH">Sign up</a> <!-- -->now to join the discussion.<!-- --> <strong class="fr3dgj-11 gBETVu">Community links will open in a new window.</strong></p><div id="discourse-comments" class="fr3dgj-8 kCebOy"></div><script> DiscourseEmbed = { discourseUrl: 'https://community.auth0.com/', topicId: 70028, }; (function() { var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true; d.src = DiscourseEmbed.discourseUrl + 'javascripts/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d); })(); </script></div></article></section></aside></div><footer class="se2h2f-0 cKkxOM"><section class="sc-1cjm8t9-0 kFxyKJ"><div class="sc-1cjm8t9-1 hCUaZa"><div class="sc-1cjm8t9-2 eqalMj"><h2 class="sc-1cjm8t9-3 jqjLnD">Secure access for everyone. But not just anyone.</h2></div><div class="sc-1cjm8t9-4 dyFOzi"><a href="/signup?&amp;signUpData=%7B%22category%22%3A%22button%22%7D" class="sc-1cjm8t9-6 jLIrRp">Try Auth0 for Free</a><button class="sc-1cjm8t9-5 sc-1cjm8t9-7 eYcLwW iMBUpK">Talk to Sales</button></div></div></section><section class="se2h2f-1 dVGqDZ"><article class="se2h2f-2 eRDypO"><ul class="se2h2f-3 daVBxX"><li class="se2h2f-4 frYIIS"><h3 class="se2h2f-5 hYwhOd">Blog</h3><p class="se2h2f-6 pJMTk"><a href="/blog/developers/" class="se2h2f-7 kfPipf">Developers</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/identity-and-security/" class="se2h2f-7 kfPipf">Identity &amp; Security</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/business/" class="se2h2f-7 kfPipf">Business</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/leadership/" class="se2h2f-7 kfPipf">Leadership</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/culture/" class="se2h2f-7 kfPipf">Culture</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/engineering/" class="se2h2f-7 kfPipf">Engineering</a></p><p class="se2h2f-6 pJMTk"><a href="/blog/announcements/" class="se2h2f-7 kfPipf">Announcements</a></p></li><li class="se2h2f-4 frYIIS"><h3 class="se2h2f-5 hYwhOd">Company</h3><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/about" class="se2h2f-7 kfPipf">About Us</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/customers/" class="se2h2f-7 kfPipf">Customers</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/security" class="se2h2f-7 kfPipf">Security</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/careers/" class="se2h2f-7 kfPipf">Careers</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/partners" class="se2h2f-7 kfPipf">Partners</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/press" class="se2h2f-7 kfPipf">Press</a></p><p class="se2h2f-6 pJMTk"><a href="https://status.auth0.com" class="se2h2f-7 kfPipf">Status</a></p><p class="se2h2f-6 pJMTk"><a href="https://www.okta.com/agreements/" class="se2h2f-7 kfPipf">Legal</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/privacy" class="se2h2f-7 kfPipf">Privacy Policy</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/web-terms" class="se2h2f-7 kfPipf">Terms</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/your-privacy-choices" class="se2h2f-7 kfPipf">Your Privacy Choices</a><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" class="se2h2f-18 gWGPDF"><path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" fill-rule="evenodd" clip-rule="evenodd" fill="#fff"></path><path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" fill-rule="evenodd" clip-rule="evenodd" fill="#06f"></path><path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" fill="#fff"></path><path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" fill="#06f"></path></svg></p></li><li class="se2h2f-4 frYIIS"><h3 class="se2h2f-5 hYwhOd">Product</h3><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/single-sign-on/" class="se2h2f-7 kfPipf">Single Sign-On</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/breached-passwords" class="se2h2f-7 kfPipf">Password Detection</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/multifactor-authentication" class="se2h2f-7 kfPipf">Guardian</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/machine-to-machine/" class="se2h2f-7 kfPipf">M2M</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/universal-login/" class="se2h2f-7 kfPipf">Universal Login</a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/passwordless/" class="se2h2f-7 kfPipf">Passwordless</a></p></li><li class="se2h2f-4 frYIIS"><h3 class="se2h2f-5 hYwhOd">More</h3><p class="se2h2f-6 pJMTk"><a href="https://auth0.com" target="_blank" rel="noopener noreferrer" class="se2h2f-7 kfPipf">Auth0.com<img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg" class="se2h2f-14 kUlUxE"/></a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/ambassador-program/" target="_blank" rel="noopener noreferrer" class="se2h2f-7 kfPipf">Ambassador Program<img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg" class="se2h2f-14 kUlUxE"/></a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/guest-authors/" target="_blank" rel="noopener noreferrer" class="se2h2f-7 kfPipf">Guest Author Program<img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg" class="se2h2f-14 kUlUxE"/></a></p><p class="se2h2f-6 pJMTk"><a href="https://community.auth0.com" target="_blank" rel="noopener noreferrer" class="se2h2f-7 kfPipf">Auth0 Community<img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg" class="se2h2f-14 kUlUxE"/></a></p><p class="se2h2f-6 pJMTk"><a href="https://auth0.com/learn/" target="_blank" rel="noopener noreferrer" class="se2h2f-7 kfPipf">Resources<img alt="Open external link" src="https://cdn.auth0.com/website/blog/external-link.svg" class="se2h2f-14 kUlUxE"/></a></p></li></ul><hr class="se2h2f-8 gplNEi"/><div class="se2h2f-9 gBMQRB"><ul class="se2h2f-10 dHEfNl"><li class="se2h2f-11 gKhDpQ"><a href="https://twitter.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="link to Auth0 by Okta twitter" class="se2h2f-12 gXAHYn"><svg aria-hidden="true" class="se2h2f-17 ekZMky" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path></svg></a></li><li class="se2h2f-11 gKhDpQ"><a href="https://linkedin.com/company/auth0" target="_blank" rel="noopener noreferrer" aria-label="link to Auth0 by Okta LinkedIn" class="se2h2f-12 gXAHYn"><svg aria-hidden="true" class="se2h2f-16 biwoHT" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path fill="currentColor" d="M416 32H31.9C14.3 32 0 46.5 0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6 0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3 0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2 0 38.5 17.3 38.5 38.5 0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6 0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2 0 79.7 44.3 79.7 101.9V416z"></path></svg></a></li><li class="se2h2f-11 gKhDpQ"><a href="https://github.com/auth0" target="_blank" rel="noopener noreferrer" aria-label="link to Auth0 by Okta Github" class="se2h2f-12 gXAHYn"><svg aria-hidden="true" class="se2h2f-15 VdjZw" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path fill="currentColor" d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"></path></svg></a></li></ul><p class="se2h2f-13 eYYtIj">©<!-- -->2024<!-- --> Okta, Inc. All Rights Reserved.</p></div></article></section></footer><div id="asset-library-root"></div><div id="modal-root"></div><div id="alert-root"></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"path":"id-token-access-token-what-is-the-difference","lastUpdatedBy":"Robertino Calcaterra","layout":"post","title":"ID Token and Access Token: What's the Difference?","description":"Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context.","metaTitle":"ID Token and Access Token: What Is the Difference?","metaDescription":"Learn what ID and access tokens are and how to correctly use them in the OpenID Connect and OAuth context.","heroImage":{"url":"https://images.ctfassets.net/23aumh6u8s0i/4hewpJDm0cpCwKydQjq8Gj/0c4f2cf6632d5067c5a9663bf8925a65/the-confused-developer-01.jpg","size":{"width":1176,"height":1056}},"dateCreated":"2021-09-23T14:31","dateLastUpdated":"2021-10-28T13:11","dateLastUpdatedHomepage":null,"category":["Developers","Concepts","The Confused Developer"],"tags":["the-confused-developer","id-token","access-token","jwt","authorization","authentication"],"lang":"en","orderOfFeaturedPost":null,"communityTopicId":"70028","metaRobots":null,"designArtistLink":null,"designArtistName":null,"postContent":"\"Let’s use a token to secure this API call. Should I use the ID token or the access token? ​🤔 The ID token looks nicer to me. After all, if I know who the user is, I can make better authorization decisions, right?\"\n\nHave you ever found yourself making similar arguments? Choices based on your intuition may sound good, but what looks intuitive is not always correct. In the case of ID and access tokens, they have clear and well-defined purposes, so you should use them based on that. Using the wrong token can result in your solution being insecure.\n\n\"What changes after all? They are just tokens. I can use them as I see fit. What’s the worst that could happen?\"\n\nLet’s take a closer look at these two types of tokens to better understand their role in authentication and authorization processes.\n\nIf you prefer, you can also watch this video on the same topic:\n\n\u003cAmpContent\u003e\n\u003camp-youtube\n data-videoid=\"vVM1Tpu9QB4\"\n layout=\"responsive\"\n width=\"480\" height=\"270\"\u003e\n\u003c/amp-youtube\u003e\n\u003c/AmpContent\u003e\n\n\u003cNonAmpContent\u003e\n\u003cdiv\n class='embed-container'\n style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden; max-width: 100%;margin-bottom:40px;\"\u003e\n \u003ciframe\n style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%;\"\n src='https://www.youtube.com/embed/vVM1Tpu9QB4'\n frameborder='0' allowfullscreen\u003e\n \u003c/iframe\u003e\n\u003c/div\u003e\n\u003c/NonAmpContent\u003e\n\n\n## What Is an ID Token?\n\nAn ID token is an artifact that proves that **the user has been authenticated**. It was introduced by [OpenID Connect](https://openid.net/connect/) (OIDC), an open standard for authentication used by many identity providers such as Google, Facebook, and, of course, Auth0. Check out [this document for more details on OpenID Connect](https://auth0.com/docs/protocols/openid-connect-protocol). Let's take a quick look at the problem OIDC wants to resolve.\n\nConsider the following diagram:\n\n\n\nHere, a user with their browser authenticates against an OpenID provider and gets access to a web application. The result of that authentication process based on OpenID Connect is the ID token, which is passed to the application as proof that the user has been authenticated.\n\nThis provides a very basic idea of what an ID token is: proof of the user's authentication. Let’s see some other details.\n\nAn ID token is **encoded as a JSON Web Token** (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it. If you want to learn more about JWTs, check out [The JWT Handbook](https://auth0.com/resources/ebooks/jwt-handbook).\n\nTo put it simply, an example of ID token looks like this:\n\n```\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw\n```\n\nOf course, this isn't readable to the human eye, so you have to decode it to see what content the JWT holds. By the way, the ID token is not encrypted but just [Base 64](https://en.wikipedia.org/wiki/Base64) encoded. You can use one of the [many available libraries](https://jwt.io/#libraries-io) to decode it, or you can examine it yourself with the [jwt.io](https://jwt.io/?id_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXktZG9tYWluLmF1dGgwLmNvbSIsInN1YiI6ImF1dGgwfDEyMzQ1NiIsImF1ZCI6IjEyMzRhYmNkZWYiLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3MCwibmFtZSI6IkphbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.bql-jxlG9B_bielkqOnjTY9Di9FillFb6IMQINXoYsw) debugger.\n\nWithout going deeper into the details, the relevant information carried by the ID token above looks like the following:\n\n```json\n{ \n \"iss\": \"http://my-domain.auth0.com\", \n \"sub\": \"auth0|123456\", \n \"aud\": \"1234abcdef\", \n \"exp\": 1311281970, \n \"iat\": 1311280970, \n \"name\": \"Jane Doe\", \n \"given_name\": \"Jane\", \n \"family_name\": \"Doe\"\n}\n```\n\nThese JSON properties are called **claims**, and they are **declarations about the user** and the token itself. The claims about the user define the user’s identity.\n\n\u003e Actually, the OpenID Connect specifications don't require the ID token to have user's claims. In its minimal structure, it has no data about the user; just info about the authentication operation.\n\nOne important claim is the `aud` claim. This claim defines the **audience** of the token, i.e., the web application that is meant to be **the final recipient of the token**. In the case of the ID token, its value is the client ID of the application that should consume the token.\n\n\u003e Remember this small detail about the audience claim because it will help you better understand what its correct use is later on.\n\nThe ID token may have additional information about the user, such as their email address, picture, birthday, and so on.\n\nFinally, maybe the most important thing: the ID token is signed by the issuer with its private key. This guarantees you the origin of the token and ensures that it has not been tampered with. You can verify these things by [using the issuer's public key](https://auth0.com/blog/how-to-explain-public-key-cryptography-digital-signatures-to-anyone/).\n\nCool! Now you know what an ID token is. But what can you do with an ID token?\n\nFirst, it demonstrates that the user has been authenticated by an entity you trust (the OpenID provider) and so **you can trust the claims about their identity**.\n\nAlso, your application can **personalize the user’s experience** by using the claims about the user that are included in the ID token. For example, you can show their name on the UI, or display a \"best wishes\" message on their birthday. The fun part is that you don’t need to make additional requests, so you may get **a little gain in performance** for your application.\n\n## What Is an Access Token?\n\nNow that you know what an ID token is, let’s try to understand what an access token is.\n\nLet's start by depicting the scenario where the access token fits:\n\n\n\nIn the diagram above, a **client application** wants to access a **resource**, e.g., an API or anything else which is protected from unauthorized access. The other two elements in that diagram are the user, which is the **owner** of the resource, and the **authorization server**. In this scenario, the access token is the artifact that **allows the client application to access the user's resource**. It is issued by the authorization server after successfully authenticating the user and obtaining their consent.\n\nIn the [OAuth 2](https://auth0.com/docs/protocols/protocol-oauth2) context, the access token **allows a client application to access a specific resource to perform specific actions on behalf of the user**. That is what is known as a **delegated authorization scenario**: the user delegates a client application to access a resource on their behalf. That means, for example, that you can authorize your LinkedIn app to access Twitter’s API on your behalf to cross-post on both social platforms. Keep in mind that you only authorize LinkedIn to publish your posts on Twitter. You don't authorize it to delete them or change your profile’s data or do other things, too. This limitation is very important in a delegated authorization scenario and is achieved through scopes. **[Scopes](https://auth0.com/docs/scopes)** are a mechanism that allows the user to authorize a third-party application to **perform only specific operations**.\n\nOf course, the API receiving the access token must be sure that it actually is a valid token issued by the authorization server that it trusts and make authorization decisions based on the information associated with it. In other words, the API needs to somehow use that token in order to authorize the client application to perform the desired operation on the resource.\n\nHow the access token should be used in order to make authorization decisions depends on many factors: the overall system architecture, the token format, etc. For example, an access token could be a key that allows the API to retrieve the needed information from a database shared with the authorization server, or it can directly contain the needed information in an encoded format. This means that **understanding how to retrieve the needed information to make authorization decisions is an agreement between the authorization server and the resource server**, i.e., the API.\n\n[OAuth 2 core specifications](https://datatracker.ietf.org/doc/html/rfc6749) say nothing about the access token format. It **can be a string in any format**. A common format used for access tokens is JWT, and [a standard structure is available](https://datatracker.ietf.org/doc/html/rfc9068). However, this doesn’t mean that access tokens should be in that format.\n\nAlright! Now you know what an ID token and an access token are. 🎉 So you are ready to use them without any fear of making mistakes. But, wait. I do not see you convinced. 🤔 Maybe you need some other information. Ok. So, let’s see what these tokens are _not_ suitable for.\n\n## What Is an ID Token NOT Suitable For?\n\nOne of the most common mistakes developers make with an ID token is using it to call an API.\n\nAs said above, an ID token proves that a user has been authenticated. In a first-party scenario, i.e. in a scenario where the client and the API are both controlled by you, you may decide that your ID token is good to make authorization decisions: maybe all you need to know is the user identity.\n\nHowever, even in this scenario, the security of your application, consisting of the client and the API, may be at risk. In fact, **there is no mechanism that ties the ID token to the client-API channel**. If an attacker manages to steal your ID token, they can use it to call your API like a legitimate client.\n\nFor the access token, on the other hand, there is [a set of techniques, collectively known as *sender constraint*](https://auth0.com/blog/identity-unlocked-explained-episode-1/), that allow you to bind an access token to a specific sender. This guarantees that even if an attacker steals an access token, they can’t use it to access your API since the token is bound to the client that originally requested it.\n\nIn a delegated authorization scenario where a third-party client wants to call your API, **you must not use an ID token to call the API**. In addition to the lack of mechanisms to bind it to the client, there are several other reasons not to do this.\n\nIf your API accepts an ID token as an authorization token, to begin with, you are ignoring the intended recipient stated by the audience claim. That claim says that it is meant for your client application, not for the resource server (i.e., the API).\n\nYou may think this is just a formality, but **there are security implications** here.\n\nFirst of all, among other validation checks, your API shouldn’t accept a token that is not meant for it. If it does, its security is at risk. In fact, if your API doesn't care if a token is meant for it, an ID token stolen from any client application can be used to access your API. Of course, checking the audience is just one of [the checks that your API should do to prevent unauthorized access](https://auth0.com/docs/security/tokens/access-tokens/validate-access-tokens).\n\nIn addition, your ID token will not have granted [scopes](https://auth0.com/docs/scopes) (I know, this is another pain point). As said before, scopes allow the user to restrict the operations your client application can do on their behalf. Those scopes are associated with the access token so that your API knows what the client application can do and what it can't do. If your client application uses an ID token to call the API, you ignore this feature and potentially allow the application to perform actions that the user has not authorized.\n\n## What Is an Access Token NOT Suitable For?\n\nOn the access token side, it was conceived to demonstrate that you are authorized to access a resource, e.g., to call an API.\n\nYour client application should use it only for this reason. In other words, the access token **should not be inspected by the client application**. It is intended for the resource server, and your client application should treat access tokens as opaque strings, that is, strings with no specific meaning. Even if you know the access token format, you shouldn’t try to interpret its content in your client application. As said, the access token format is an agreement between the authorization server and the resource server, and the client application should not intrude. Think of what can happen if one day the access token format changes. If your client code was inspecting that access token, now it will break unexpectedly.\n\n## A Quick Recap\n\nThe confusion over the use of ID and access tokens is very common, and it can be difficult to wrap your head around the differences. Maybe it mostly derives from not having a clear understanding of the different goals of each artifact as defined by the OAuth and OpenID Connect specifications. Also, understanding the scenarios where those artifacts were originally meant to operate has an important role in preventing confusion on their use. Nevertheless, I hope this topic is a little more clear now.\n\nTo recap, here is a quick summary of what you learned about what you can and can’t do with ID and access tokens:\n\n\n\nIf you want to see ID and access tokens in action, \u003ca href=\"https://a0.to/blog_signup\" data-amp-replace=\"CLIENT_ID\" data-amp-addparams=\"anonId=CLIENT_ID(cid-scope-cookie-fallback-name)\"\u003esign up for a free Auth0 account\u003c/a\u003e and start to add authentication and authorization to your applications in minutes with [your preferred programming language and framework](https://auth0.com/docs/libraries).","tutorialChapterTitle":null,"redirectTo":null,"reportingAuthorType":"Core Team","reportingPostType":"Opinionated dev posts/guides","reportingIsAuth0cta":false,"authors":[{"path":"andrea-chiarelli","name":"Andrea Chiarelli","avatar":{"url":"https://images.ctfassets.net/23aumh6u8s0i/20yAvTcosk60ReBcBSlaOJ/be0d3d390368edf9cdf3d50e76207164/andrea-chiarelli","size":{"width":400,"height":400}},"lastUpdatedBy":"andrea.chiarelli@auth0.com","email":"andrea.chiarelli@auth0.com","twitter":"https://twitter.com/andychiare","github":"https://github.com/andychiare","linkedin":"https://www.linkedin.com/in/andreachiarelli/","isPopular":true,"personalWebsite":"https://andreachiarelli.it/","type":"Auth0 Employee","jobTitle":"Principal Developer Advocate","description":"I have over 20 years of experience as a software engineer and technical author. Throughout my career, I've used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.\n\nIn the last few years, I've been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem."}],"relatedPosts":[{"path":"the-openid-connect-handbook","title":"The OpenID Connect Handbook","description":"A preview of our new ebook about OIDC, the de facto standard for handling authentication in the modern world.","heroImage":{"url":"https://images.ctfassets.net/23aumh6u8s0i/QBpn5KpUDKvP0FR7BXiDw/29b2675c21584586cc11705cd9543ccb/open-id-connect","size":{"width":1176,"height":1056}},"category":["Identity \u0026 Security","Identity","OpenID Connect"],"layout":"post","tutorialChapterTitle":null,"lang":"en"},{"path":"json-web-token-signing-algorithms-overview","title":"JSON Web Token (JWT) Signing Algorithms Overview","description":"Learn all about the different JWT signing algorithms and how to choose the correct one for your use case!","heroImage":{"url":"https://images.ctfassets.net/23aumh6u8s0i/56S9oDWKVeNY8AIszkZvw1/7d6794f3d31d4eedb5a3d3699e796e5c/default","size":{"width":1764,"height":1584}},"category":["Identity \u0026 Security","Identity","JWT"],"layout":"post","tutorialChapterTitle":null,"lang":"en"},{"path":"what-is-an-authentication-server","title":"What is an Authentication Server","description":"Learn how an authentication server works and how it compares with an authorization server.","heroImage":{"url":"https://images.ctfassets.net/23aumh6u8s0i/3LicB7o8n7rtwGu6Sfyncy/53bf56ecd9f99f2fecbace9923585228/authentication-tokens","size":{"width":613,"height":550}},"category":["Identity \u0026 Security","Identity","Authentication"],"layout":"post","tutorialChapterTitle":null,"lang":"en"}],"mlRecommendations":["/blog/refresh-tokens-what-are-they-and-when-to-use-them/"],"isFeatured":false,"isHiddenFromBlogPostGrid":false,"isInPressRelease":false,"sidebarAd":null,"isExludedFromSitemap":false,"mlRecommendationsData":[{"path":"/blog/refresh-tokens-what-are-they-and-when-to-use-them/","heroImage":{"url":"https://images.ctfassets.net/23aumh6u8s0i/3LicB7o8n7rtwGu6Sfyncy/53bf56ecd9f99f2fecbace9923585228/authentication-tokens","size":{"width":613,"height":550}},"title":"What Are Refresh Tokens and How to Use Them Securely","category":["Identity \u0026 Security","Identity","Open Standards"]}],"withAB":true},"__N_SSG":true},"page":"/blog/[slug]","query":{"slug":"id-token-access-token-what-is-the-difference"},"buildId":"IzTW8SATo2LLnvYQRE3T_","assetPrefix":"/blog","isFallback":false,"gsp":true,"customServer":true,"scriptLoader":[]}</script></body></html>