Scopes reference
Scopes control which parts of the user’s identity your application can read from Truora Pass. You request scopes in the authorization request (space-delimited in the scope parameter), the user consents to them on the Truora Pass consent screen, and the granted scopes determine which claims the UserInfo endpoint releases.
Note: every scope you request must be registered for your application. Requesting an unregistered scope makes the authorization request fail — see Registering your application.
Scope catalog
| Scope | What it grants | Claims released |
|---|---|---|
openid |
OpenID Connect base scope; enables the id_token and the stable user identifier |
sub |
email |
The user’s email address and its verification state | email, email_verified |
phone |
The user’s phone number and its verification state | phone_number, phone_number_verified |
profile |
Basic profile: name, gender, date of birth, nationality | name, first_name, last_name, gender, birthdate, nationality, updated_at |
identity |
Identity-verification status plus name and primary document details | identity_verified, verification_level, given_name, family_name, birthdate, nationality, document_number, document_type, issuing_authority, is_risky, was_manually_reviewed, document_expired, expiration_date |
documents |
All of the user’s verified documents | documents (array) |
age |
Age range and birthdate | age_verified, is_minor, age_range, birthdate |
address |
The user’s address | address (object) |
background |
Background-check outcome | trust_level, background_verified, verification_badges, manual_verification_status |
biometric |
Face enrollment and liveness state | face_enrolled, last_face_verification_date, liveness_check_passed, face_match_confidence, quality_level, verification_method |
verification |
Overall verification status, methods, and date | verification_status, verification_date, verification_methods |
contact |
Contact information bundle | email, email_verified, phone_number, phone_number_verified, preferred_communication_method |
nationality |
The user’s nationality | nationality |
Note: profile and identity intentionally use different name claims: profile carries the self-reported profile name as first_name / last_name, while identity carries the document-verified name under the OIDC standard claims given_name / family_name. Both sets appear when both scopes are granted.
For the exact value formats and enumerations of every claim, see UserInfo and claims.
Granular document scopes
Instead of the broad documents scope, your application can request specific documents with the hierarchical form:
document:<COUNTRY>:<TYPE>
A granular document scope filters the documents array released at UserInfo down to the matching country and document type. document:ALL:ALL is equivalent to documents.
CIBA-sensitive scopes
In the CIBA flow (decoupled, backchannel authorization), some scopes are considered sensitive. When a CIBA request includes any of them, the binding_message parameter becomes required at POST /v1/oauth2/bc-authorize — Truora Pass shows it to the user on the approval screen so they know what they are approving.
| Scope | CIBA binding_message |
|---|---|
documents |
Required |
background |
Required |
| All other scopes in the catalog | Optional |
The binding_message is displayed to the user as sent; messages longer than 200 characters are truncated.
Partner-only scopes
Additional partner-only scopes exist beyond this catalog — contact Truora if your integration needs them.