Userinfo endpoint

The userinfo endpoint returns authorized information (claims) about the end-user represented by the corresponding authorization grant. To obtain the requested claims about the End-User, the client requests to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. The claims are represented as JSON objects containing a collection of key-value pairs.

For more information about the standard claims supported by CyberArk Identity and details on adding additional claims to the userinfo response, please refer:

To get claims from the userinfo endpoint, the client application sends a request to the "/userinfo" endpoint by passing an access token as a bearer as below:

Authorization: 'Bearer {access_token}.'
POST https://{tenant_url} /oauth2/userinfo/{application_id}

The basic response of the userinfo endpoint is as below:

    "auth_time": <user authentication time>
    "aud": <user UUID>,
    "unique_name": "<username>",
    "sub": "<client ID>"

Different claims can be requested from the userinfo endpoint by generating access tokens with the corresponding scopes.

For example, to request email and profile-related claims from the userinfo endpoint, the access token should be generated with scopes "email profile."

Once the access token is generated, it can be passed to the userinfo endpoint. The response for the userinfo endpoint (where the access token used to get claims has the scope "email profile") is as below:

    "given_name": "monika.a",
    "aud": "90ab28fc-f890-4b3d-9c44-722c9b6ecf2b",
    "name": "monika.a",
    "email": "[email protected]",
    "family_name": "monika.a",
    "preferred_username": "monika.a",
    "unique_name": "monika.a",
    "sub": "c2c7bcc6-9560-44e0-8dff-5be221cd37ee",
    "email_verified": true


Integrate userinfo endpoint using CyberArk Identity SDKs

CyberArk Identity provides SDKs to integrate authorization code flow into your applications.