Interface: UserJwtPayload

Interface: UserJwtPayload

Defined in: jwt/claims.ts:44

Human-user access token. Issued by /auth/login, /auth/refresh, /auth/sso/exchange, /auth/sso/callback (non-PKCE), etc.

Discriminated by token_type: 'access'. Service tokens (the M2M flow) share the same TokenClaims struct on the Go side but set token_type: 'service' and populate client_id/service_name/scopes instead — see ServiceJwtPayload.

Extends

• BaseJwtClaims.ImpersonationClaims

Properties

app_code?

optional app_code?: string

Defined in: jwt/claims.ts:76

---

app_id?

optional app_id?: string

Defined in: jwt/claims.ts:75

App scoping (AUDIT 8.3). Downstream services validate claims.app_code === self.app_code so a token minted for app A can never be accepted by app B. Both are absent when AUTH_ALLOW_BASE_USER_LOGIN is set and login carried no app_code.

---

aud?

optional aud?: string | string[]

Defined in: jwt/claims.ts:20

Inherited from

BaseJwtClaims.aud

---

auth_provider?

optional auth_provider?: string

Defined in: jwt/claims.ts:64

---

display_name?

optional display_name?: string

Defined in: jwt/claims.ts:52

---

email

email: string

Defined in: jwt/claims.ts:49

---

exp?

optional exp?: number

Defined in: jwt/claims.ts:21

Inherited from

BaseJwtClaims.exp

---

first_name?

optional first_name?: string

Defined in: jwt/claims.ts:50

---

iat?

optional iat?: number

Defined in: jwt/claims.ts:22

Inherited from

BaseJwtClaims.iat

---

imp_email?

optional imp_email?: string

Defined in: jwt/claims.ts:32

Inherited from

ImpersonationClaims.imp_email

---

imp_uid?

optional imp_uid?: string

Defined in: jwt/claims.ts:31

Inherited from

ImpersonationClaims.imp_uid

---

iss?

optional iss?: string

Defined in: jwt/claims.ts:19

Inherited from

BaseJwtClaims.iss

---

jti?

optional jti?: string

Defined in: jwt/claims.ts:24

Inherited from

BaseJwtClaims.jti

---

last_name?

optional last_name?: string

Defined in: jwt/claims.ts:51

---

nbf?

optional nbf?: number

Defined in: jwt/claims.ts:23

Inherited from

BaseJwtClaims.nbf

---

org_id?

optional org_id?: string

Defined in: jwt/claims.ts:55

Organization context. Nil when the user logged in without org scoping.

---

org_name?

optional org_name?: string

Defined in: jwt/claims.ts:57

---

org_slug?

optional org_slug?: string

Defined in: jwt/claims.ts:56

---

permissions

permissions: string[]

Defined in: jwt/claims.ts:60

---

remember_me?

optional remember_me?: boolean

Defined in: jwt/claims.ts:63

---

roles

roles: string[]

Defined in: jwt/claims.ts:59

---

session_id?

optional session_id?: string

Defined in: jwt/claims.ts:62

---

sub?

optional sub?: string

Defined in: jwt/claims.ts:18

Inherited from

BaseJwtClaims.sub

---

token_type

token_type: "access"

Defined in: jwt/claims.ts:45

---

tv?

optional tv?: number

Defined in: jwt/claims.ts:69

Per-user token-version counter captured at issue time (AUDIT 1.10 / 3.4). The server bumps this on logout-all / role-change; validators reject tokens whose tv is below the current per-user value.

---

uid

uid: string

Defined in: jwt/claims.ts:48

User id. Matches uid on the wire (Go UserID claim).