Scopes reference

Scopes control which parts of the user’s identity your application can read from Truora Pass. You request scopes in the authorization request (space-delimited in the scope parameter), the user consents to them on the Truora Pass consent screen, and the granted scopes determine which claims the UserInfo endpoint releases.

Note: every scope you request must be registered for your application. Requesting an unregistered scope makes the authorization request fail — see Registering your application.

Scope catalog

Scope What it grants Claims released
openid OpenID Connect base scope; enables the id_token and the stable user identifier sub
email The user’s email address and its verification state email, email_verified
phone The user’s phone number and its verification state phone_number, phone_number_verified
profile Basic profile: name, gender, date of birth, nationality name, first_name, last_name, gender, birthdate, nationality, updated_at
identity Identity-verification status plus name and primary document details identity_verified, verification_level, given_name, family_name, birthdate, nationality, document_number, document_type, issuing_authority, is_risky, was_manually_reviewed, document_expired, expiration_date
documents All of the user’s verified documents documents (array)
age Age range and birthdate age_verified, is_minor, age_range, birthdate
address The user’s address address (object)
background Background-check outcome trust_level, background_verified, verification_badges, manual_verification_status
biometric Face enrollment and liveness state face_enrolled, last_face_verification_date, liveness_check_passed, face_match_confidence, quality_level, verification_method
verification Overall verification status, methods, and date verification_status, verification_date, verification_methods
contact Contact information bundle email, email_verified, phone_number, phone_number_verified, preferred_communication_method
nationality The user’s nationality nationality

Note: profile and identity intentionally use different name claims: profile carries the self-reported profile name as first_name / last_name, while identity carries the document-verified name under the OIDC standard claims given_name / family_name. Both sets appear when both scopes are granted.

For the exact value formats and enumerations of every claim, see UserInfo and claims.

Granular document scopes

Instead of the broad documents scope, your application can request specific documents with the hierarchical form:

document:<COUNTRY>:<TYPE>

A granular document scope filters the documents array released at UserInfo down to the matching country and document type. document:ALL:ALL is equivalent to documents.

CIBA-sensitive scopes

In the CIBA flow (decoupled, backchannel authorization), some scopes are considered sensitive. When a CIBA request includes any of them, the binding_message parameter becomes required at POST /v1/oauth2/bc-authorize — Truora Pass shows it to the user on the approval screen so they know what they are approving.

Scope CIBA binding_message
documents Required
background Required
All other scopes in the catalog Optional

The binding_message is displayed to the user as sent; messages longer than 200 characters are truncated.

Partner-only scopes

Additional partner-only scopes exist beyond this catalog — contact Truora if your integration needs them.