UserInfo and claims
Truora Pass releases all identity information through a single endpoint: GET /v1/oauth2/userinfo. Treat the tokens your application receives as opaque credentials — do not try to decode or verify them locally. To read the user’s identity, call the UserInfo endpoint with the access token; Truora Pass is the verifier and answers with exactly the claims the user consented to share.
Calling the UserInfo endpoint
Send a GET request to the UserInfo endpoint with the access token as a Bearer token:
curl --request GET 'https://api.pass.truora.com/v1/oauth2/userinfo' \
--header 'Authorization: Bearer <access_token>'
The response is a dynamic JSON map: which keys appear depends on the scopes granted to the access token. The sub claim (the stable user identifier for your application) is always present. Claims without data are omitted — for example, the profile claims are only included when the corresponding field is non-empty.
Example response for an access token granted the openid email profile scopes:
{
"sub": "WLT_USR_01ARZ3NDEKTSV4RRFFQ69G5FAV",
"email": "ana@example.com",
"email_verified": true,
"name": "Ana García",
"first_name": "Ana",
"last_name": "García",
"birthdate": "1992-04-15",
"nationality": "CO",
"updated_at": 1719945600
}
Note: when the background scope is granted, Truora Pass refreshes the user’s background information before building the response, so the returned trust_level reflects the latest available result.
Claims by scope
The table below lists every claim the UserInfo endpoint can release, grouped by the scope that unlocks it. See the Scopes reference for what each scope means and how to request it.
| Scope | Claims |
|---|---|
openid |
sub — stable user identifier (always present in every response) |
email |
email, email_verified (boolean) |
phone |
phone_number, phone_number_verified (boolean) |
profile |
name, first_name, last_name, gender, birthdate (YYYY-MM-DD), nationality, updated_at (Unix timestamp, integer) — each included only when non-empty |
identity |
identity_verified (boolean), verification_level (basic or none), given_name, family_name, birthdate, nationality, document_number, document_type, issuing_authority, is_risky (boolean), was_manually_reviewed (boolean); document_expired (boolean) and expiration_date only when the document is verified and expired |
documents |
documents — array of {document_type, document_number, country, date_of_birth} objects (valid documents only; date_of_birth when available) |
age |
age_verified (boolean); when a birthdate is on file: is_minor (boolean), age_range (under_18, over_18, over_21, or over_65), birthdate |
address |
address — object {country, street_address, city, state_province, postal_code, address_verified} |
background |
trust_level (high, medium, low, or not_available), background_verified (boolean), verification_badges (array), manual_verification_status |
biometric |
face_enrolled (boolean), last_face_verification_date (RFC 3339, when available), liveness_check_passed (boolean), face_match_confidence (not_available), quality_level (not_available), verification_method (photo) |
verification |
verification_status (full, partial, or none), verification_date (RFC 3339, when available), verification_methods — array with any of document, face |
contact |
email, email_verified, phone_number, phone_number_verified, preferred_communication_method (email) |
nationality |
nationality |
Note: The two name conventions are intentional, not a typo. The profile scope releases the user’s self-reported profile as first_name / last_name (plus the combined name), while the identity scope releases the document-verified name under the OpenID Connect standard claims given_name / family_name. When both scopes are granted, the response contains both sets.
For guidance on interpreting the verification-related claims (identity_verified, verification_status, trust_level, and friends), see Consuming identity-verification results.
The ID token
When the granted scopes include openid, the token response from the Authorization Code flow or the CIBA flow also contains an id_token. The ID token is a record of the authentication event, not a carrier of identity data — it contains only the fixed OpenID Connect claims:
| Claim | Meaning |
|---|---|
sub |
User identifier (same value as UserInfo sub) |
iss |
Issuer |
aud |
Your client_id |
iat |
Issued-at time |
exp |
Expiration time |
auth_time |
When the user authenticated (when available) |
amr |
Authentication methods used (when available) |
acr |
Authentication context class satisfied (when available) |
Key facts about the ID token:
- It expires 5 minutes after issuance — use it at sign-in time, then rely on the access token.
- It is issued only when the
openidscope is granted. - It is not re-issued when you refresh the access token with a refresh token.
- It never contains scope-derived identity claims. All identity data — name, documents, verification status — is released exclusively by the UserInfo endpoint.
Note: treat both the access token and the ID token as opaque values. Do not attempt local signature verification; read the user’s identity by calling GET /v1/oauth2/userinfo.
Error responses
| HTTP status | Error | When |
|---|---|---|
| 401 | Missing or invalid Bearer token | The Authorization header is absent, malformed, or the token is invalid or expired |
| 401 | insufficient_scope — “Invalid token: missing scopes” |
The token carries no usable scopes |
| 404 | user_not_found |
The user behind the token no longer exists |
See Errors and troubleshooting for the full error catalog across all endpoints.