UserJwtPayload
UserJwtPayload
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Human-user access token. Issued by /auth/login, /auth/refresh,
/auth/sso/exchange, /auth/sso/callback (non-PKCE), etc.
Discriminated by token_type: 'access'. Service tokens (the M2M flow)
share the same TokenClaims struct on the Go side but set token_type: 'service' and populate client_id/service_name/scopes instead — see
ServiceJwtPayload.
Extends
Properties
app_code?
optionalapp_code?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
app_id?
optionalapp_id?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
App scoping (AUDIT 8.3). Downstream services validate
claims.app_code === self.app_code so a token minted for app A can
never be accepted by app B. Both are absent when
AUTH_ALLOW_BASE_USER_LOGIN is set and login carried no app_code.
aud?
optionalaud?:string|string[]
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
auth_provider?
optionalauth_provider?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
display_name?
optionaldisplay_name?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
email:
string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
exp?
optionalexp?:number
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
first_name?
optionalfirst_name?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
iat?
optionaliat?:number
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
imp_email?
optionalimp_email?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
imp_uid?
optionalimp_uid?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
iss?
optionaliss?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
jti?
optionaljti?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
last_name?
optionallast_name?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
namespace?
optionalnamespace?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
User pool / namespace (auth-server migration 017). The home pool
the identity belongs to. Absent for the default pool (the
server omits it for wire economy). See the auth-server
docs/USER_POOLS.md.
nbf?
optionalnbf?:number
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
org_id?
optionalorg_id?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Organization context. Nil when the user logged in without org scoping.
org_name?
optionalorg_name?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
org_slug?
optionalorg_slug?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
permissions
permissions:
string[]
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
remember_me?
optionalremember_me?:boolean
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
roles
roles:
string[]
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
session_id?
optionalsession_id?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
sub?
optionalsub?:string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Inherited from
token_type
token_type:
"access"
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
tv?
optionaltv?:number
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
Per-user token-version counter captured at issue time (AUDIT 1.10 /
3.4). The server bumps this on logout-all / role-change; validators
reject tokens whose tv is below the current per-user value.
uid
uid:
string
Defined in: @rw3iss/auth-shared/src/jwt/claims.ts
User id. Matches uid on the wire (Go UserID claim).