Access tokens are internally used by the SDK to perform actions on the XpansionChain API on behalf of the user. Most applications won't use this explicitly.
ID Token
ID tokens identify Passport users.
Once you base64-decode an ID token and deserialize it, it will have the following structure:
interface IDToken {
"iss": string // Issuer domain:
"aud": string // Your Passport client ID
"iat": number, // UNIX timestamp when the token was issued
"exp": number, // UNIX timestamp when the token expires
"sub": string, // User identifier
"sid": string // Session identifier
}
You can rely on the sub attribute to uniquely identify Passport user.
If you are using Passport's ID tokens to identify users in your backend, simply base64 decoding a token and reading the sub claim is not sufficient to guarantee that the user is who they claim they are.
JWTs can be cryptographically verified by using the issuer’s (XpansionChain) public key which ensures that the token was in fact signed with XpansionChain's private key. Passport uses the RS256 algorithm to sign the tokens.
You can fetch the JSON web key set containing the public key using the jwks_uri endpoint and use a trusted open-source JWT verification library to verify the tokens. You may choose to cache the public key in your application for performance reasons, but we don't recommend caching it for longer than 1 hour, as the signing keys may be rotated from time to time.