ID tokens are used in token-based authentication to cache user profile information and provide it to a client application, thereby providing better performance and experience. The application receives an ID token after a user successfully authenticates, then consumes the ID token and extracts user information from it, which it can then use to personalize the user's experience.
For example, suppose you have a regular web app that you register it with Identity Engine and configure to allow users to login with Google. Once a user logs in, use the ID token to gather information such as name and email address, which you can then use to auto-generate and send a personalized welcome email.
ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions.
I## D token security As with other JWTs, you should follow token usage best practices when using and storing ID tokens.
Be sure to validate ID tokens before using the information it contains. You can use a library to help with this task.
ID token lifetime
By default, an ID token is valid for 36000 seconds (10 hours). If there are security concerns, you can shorten the time period before the token expires, keeping in mind that one of the purposes of the token is to improve user experience by caching user information. See Update ID Token Lifetime for details.