Sessions, Tokens, and Custom Claims


Here's what you need to know about working with sessions, tokens, and custom claims.

Session Management

Next Identity Journeys Session

When a user successfully signs in and authenticates via Next Identity, a browser-based session is started. After that successful authentication, if the application calls the /authorize endpoint from that same user’s browser and the browser still has that session info stored, an authorization code will be returned. By default, this session lasts for 14 days.


Security Note

A user will always be required to enter a password before changing security questions or their existing password.

Codes and Tokens

After successful sign in by the user, they are redirected back to the redirect_uri defined in the call and an authorization code is appended to the URL.

That authorization code would look like the following (see code parameter):


This is a one-time use token with an actual size of 14 characters, by default. It is returned by the first call (/authorize) and required on the second request (/token) in order to reach that API call and get a new pair of tokens.


This will be returned as a JSON Web Token or JWT.


Technical Note

What you need to know about the id_token

  • It has three distinct sections separated by a period: head, payload, and signature.
  • The content is base64 encoded and this needs to be decoded to get the information being returned.
  • The JWT signature is created using a private key and takes the header and the payload content to generate. So if the payload is changed, then the signature will no longer be valid.

Here is an example of a JWT:

    "token_type": "Bearer",
    "id_token": "eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2Rldi5bWU9VUiBET01BSU5dIiwic3ViIjoiYjMwNjQ3ZWYtN2YwMy00Y2UxLWFlOTEtOTQ3NmU0OWQwNjA1IiwiYXVkIjoiODk0NHJwc2FtNWNkM2twYjZ2cWFrdmFjcjZkdmdmcWYiLCJpYXQiOjE2MTAwNTI1MzAsImV4cCI6MTYxMTI2MjEzMCwibm9uY2UiOiJvQTBLN3hVU1JXOEIwWllNZ2szN3lvM0txYTdQaURFd0F2NllITURyV0dVQ0RQVDNLbyIsIm5hbWUiOiJKb2huIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6IkpvbmVzIiwiZW1haWwiOiJqb2huLmpvbmVzQGVtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJ1cGRhdGVkX2F0IjoiMjAyMS0wMS0wNyAyMDo0NDozNS4xNzY2MjUgKzAwMDAifQ.vdv2vnNEJduD0LVfdxqjQErCPR_Yyh2cPQBUTieEtJc",
    "access_token": "rb5bzkygqs5ahevp",
    "refresh_token": "h4zakujpack6qtfbyy8r",
    "expires_in": 3600

When the id_token is decoded, it will look like this:

  "iss": "https://[YOUR DOMAIN]",
  "sub": "b30647ef-7f03-4ce1-ae91-9476e49d0605",
  "aud": "8944rpsam5cd3kpb6vqakvacr6dvgfqf",
  "iat": 1610052530,
  "exp": 1611262130,
  "nonce": "yMLsS49XhyEcxJESP9YEN2QetYrVWVzPxJAvF7wkaDLWAn9PyK",
  "name": "John",
  "given_name": "John",
  "family_name": "Smith",
  "email": "[email protected]",
  "email_verified": true,
  "phone_number_verified": false,
  "updated_at": "2021-01-07 20:44:35.176625 +0000"


This is received on /token call as a header with an actual size of 16 characters by default.


This is received on /token call as a header, together with the access_token.