Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Machine-to-Machine (M2M)
  • Overview

Token structure and claims

Access tokens issued by Kinde to Machine-to-Machine (M2M) applications are JSON Web Tokens (JWTs)that include trusted claims about the app, scopes, and (if applicable) the organization.

This reference explains what those claims are and how to use them securely in your APIs or services.

How to view token claims

Link to this section

Tokens returned from the client credentials flow can be decoded using any standard JWT library, or online tools like Kinde’s JWT decoder.

You do not need to validate the signature unless you’re verifying tokens on your own backend (outside of Kinde-hosted APIs). For most use cases, Kinde validates the token for you when you call our APIs.

Example token payloads

Link to this section

Global M2M app

Link to this section
{
  "aud": [
    "your-api-audience"
  ],
  "azp": "d4d3c5b74e064badb9625a4aa6241bcc",
  "exp": 1751237068,
  "gty": [
    "client_credentials"
  ],
  "iat": 1751150668,
  "iss": "https://<your-subdomain>.kinde.com",
  "jti": "f95ed3e0-cc4d-40c4-b95a-9971729b0ae5",
  "scope": "read:users write:flags",
  "scp": [
    "read:users",
    "write:flags"
  ],
  "v": "2"
}

Org-scoped M2M app

Link to this section
{
  "aud": [
    "your-api-audience"
  ],
  "azp": "d4d3c5b74e064badb9625a4aa6241bcc",
  "exp": 1751237068,
  "gty": [
    "client_credentials"
  ],
  "iat": 1751150668,
  "iss": "https://<your-subdomain>.kinde.com",
  "jti": "f95ed3e0-cc4d-40c4-b95a-9971729b0ae5",
  "org_code": "org_ba4a2311eb1",
  "scope": "read:users write:flags",
  "scp": [
    "read:users",
    "write:flags"
  ],
  "v": "2"
}

Standard claims

Link to this section
ClaimDescription
audThe audience for the token. This is the API that the token is intended for.
azpThe client ID of the M2M app that requested the token.
expThe expiration time of the token.
gtyThe grant type for the token. This is always client_credentials.
iatThe issuance time of the token.
issThe issuer of the token. This is the Kinde environment URL.
jtiThe unique identifier for the token.
scopeThe scopes granted to the token.
scpThe list of scopes initially requested
vThe version of the token.

Additional claims for org-scoped apps

Link to this section
ClaimDescription
org_codeThe organization code for the token.

Validating and using claims

Link to this section

In your API or backend service, you can use these claims to enforce access:

  • Confirm the aud matches the expected audience for your API
  • If your endpoint is organization-specific (e.g. /orgs/:org_code/...), ensure that org_code from the token matches the route parameter
  • Use scopes to implement scope-based access control (e.g. write:flags required to enable a feature flag)

Notes

Link to this section
  • Tokens are signed using asymmetric keys (RS256)
  • You can retrieve your Kinde environment’s public keys from the OpenID configuration endpoint
  • Token claims are added by Kinde based on the M2M app’s configuration and assigned scopes — they cannot be overridden in the token request
  • You can request multiple audiences
  • You can request specific scopes to limit the permissions of the token

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email