Docs / SDK / Token Claims
Identity Reference
OIDC/JWT token claims
Aura Home uses OIDC/JWT tokens supplied by the customer portal through the SDK token callback. The backend validates token issuer, audience, signature, and expiry before protected profile or chat access.
Required Claims
| Claim | Required | Purpose | Example |
|---|
iss | Yes | Identifies the trusted token issuer. | https://customer.okta.com/oauth2/default |
aud | Yes | Identifies the expected client ID or API audience. | aura-home |
sub | Yes | Stable user identifier from the customer identity provider. | 00u123customer |
exp | Yes | Token expiry; expired tokens are rejected. | 1770000000 |
Recommended Claims
| Claim | Purpose |
|---|
email | Useful for display, customer support, and user lookup workflows. |
name | Optional display name for the authenticated user. |
iat | Issued-at timestamp for diagnostics and token age checks. |
nonce | Recommended for browser-based OIDC flows to reduce replay risk. |
SDK Token Callback
AuraHome.init({
container: "#aura-home",
baseUrl: "https://aura.customer-domain.com/",
auth: {
mode: "oidc",
getToken: async () => {
const token = await customerIdentity.getIdToken();
return token;
}
}
});
Safe Handling Rules
- Do not put tokens in query strings.
- Do not place tokens in HTML attributes, CSS variables, logs, analytics payloads, or screenshots.
- Refresh tokens in the customer identity layer, not inside the Aura Home iframe.
- Keep token lifetimes short and rely on the portal session for renewal.
Validation Failures
| Failure | What to check |
|---|
| Invalid issuer | The token iss must match the runtime OIDC issuer configuration. |
| Invalid audience | The token aud must match the configured client ID or API audience. |
| Expired token | Refresh the token before returning it from getToken. |
| Missing identity | Confirm sub is stable and email is present when required by the customer workflow. |