> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/click-to-pay/integrate-the-d1-sdk/getting-started/configuration/5.-authentication/access-token-format.md).

# Access token format

The issuer access token is required for the issuer application to start a D1 SDK login session.

It is in the form of a JSON Web Token (JWT) where the token contains a set of JSON header and payload claims that are signed using a private key. The JWT claims and their signatures are validated during the login session.

### Access token header

{% tabs %}
{% tab title="Claims" %}

<table><thead><tr><th width="209.00006103515625">JWT Header Parameters</th><th>Type</th><th>Required</th><th>Description</th></tr></thead><tbody><tr><td><code>kid</code></td><td>string</td><td>Yes</td><td>Identifies the key used to sign the JWT.</td></tr><tr><td><code>typ</code></td><td>string</td><td>No</td><td>Identifies the media type. Use <code>"JWT"</code>.</td></tr><tr><td><code>alg</code></td><td>string</td><td>Yes</td><td>Defines the algorithm used to sign the JWT.</td></tr></tbody></table>
{% endtab %}

{% tab title="Example" %}
{% code title="access-token-header.json" %}

```json
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "iss1_kid"
}
```

{% endcode %}
{% endtab %}
{% endtabs %}

### Access token payload

{% tabs %}
{% tab title="JSON schema" %}

<table><thead><tr><th>JWT payload claim</th><th>Type</th><th width="88.666748046875">Required</th><th>Description</th></tr></thead><tbody><tr><td><code>exp</code></td><td>integer</td><td>Yes</td><td>Expiration time as a Unix timestamp (seconds). After the expiration time, the JWT will not be accepted for processing.</td></tr><tr><td><code>scope</code></td><td>string</td><td>Yes</td><td>Space-separated scopes used to authorize access. Configure these during D1 onboarding. D1 maps them to internal operation scopes. Example: <code>digibank:mobilebanking digibank:ecommerce</code>.</td></tr><tr><td><code>aud</code></td><td>string or array[string]</td><td>Yes</td><td>Identifies the recipients that the JWT is intended for.<br>This <code>aud</code> field will be validated during the authentication following this general convention:<br><code>https://{D1-client-api-domain-name}/oidc/{issuerId}</code>.</td></tr><tr><td><code>jti</code></td><td>string</td><td>Yes</td><td>Unique identifier for the JWT.</td></tr><tr><td><code>iss</code></td><td>string</td><td>Yes</td><td>Issuer of the JWT. If the access token public key is provisioned in the tenant configuration, set this to <code>issuerId</code> (single-issuer and multi-issuer token scenarios). If it is not provisioned, then for single-issuer tokens only, set this to the <code>jwks_uri</code> value specified in the <code>/.well-known/openid-configuration.</code> file, from which the access token public key can be downloaded.</td></tr><tr><td><code>sub</code></td><td>string</td><td>Yes</td><td>Identifies the subject that is authenticated. Set this to <code>consumerId</code>. </td></tr><tr><td><code>iat</code></td><td>integer</td><td>Yes</td><td>Timestamp at which the JWT was issued.</td></tr></tbody></table>
{% endtab %}

{% tab title="Example (single consumer ID)" %}
{% code title="access-token-payload.single-consumerid.json" %}

```json
{
  "jti": "M9JHKtLdfXu782EH3hMf_",
  "sub": "testuser",
  "iat": 1626836247,
  "exp": 1627441047,
  "scope": "digibank:mobilebanking digibank:ecommerce",
  "iss": "tenant1",
  "aud": "https://client-api.d1.thalescloud.io/oidc/tenant1"
}
```

{% endcode %}
{% endtab %}

{% tab title="Example (multiple consumer IDs)" %}
The `sub` field can contain space-separated consumer IDs.

{% code title="access-token-payload.multiple-consumerids.json" %}

```json
{
  "jti": "M9JHKtLdfXu782EH3hMf_",
  "sub": "testuser1 testuser2",
  "iat": 1626836247,
  "exp": 1627441047,
  "scope": "digibank:mobilebanking digibank:ecommerce",
  "iss": "tenant1",
  "aud": "https://client-api.d1.thalescloud.io/oidc/tenant1"
}
```

{% endcode %}
{% endtab %}
{% endtabs %}

### Algorithms

#### Supported and recommended

* ES256: ECDSA using P-256 & SHA-256
* ES384: ECDSA using P-384 & SHA-384
* ES512: ECDSA using P-512 & SHA-512

#### Supported

* RS256: RSASSA-PKCS1-v1\_5 using SHA-256
* RS512: RSASSA-PKCS1-v1\_5 using SHA-512
* PS256: RSASSA-PSS
* PS384: RSASSA-PSS
* PS512: RSASSA-PSS
* EdDSA (Ed25519)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.payments.thalescloud.io/click-to-pay/integrate-the-d1-sdk/getting-started/configuration/5.-authentication/access-token-format.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.