> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Understand scopes and claims used with the OpenID Connect (OIDC) protocol.

# OpenID Connect Scopes

This document discusses scopes included within the <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect (OIDC) authentication protocol. For more info about OIDC itself, read [OpenID Connect Protocol](/docs/authenticate/protocols/openid-connect-protocol).

OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+Token">ID Token</Tooltip> and are also available through the [`/userinfo` endpoint](/docs/api/authentication/user-profile/get-user-info).

For example, let's say you have built a regular web application, registered it with Auth0, and have configured it to allow a user to log in using a username and password. Once a user logs in to your app, you want to auto-generate and send a personalized welcome email, including the user's name.

1. A user clicks **Login** within your app.
2. Your app redirects the user to the Auth0 Authorization Server (`/authorize` endpoint), including the following scopes:

   * `openid` (required; to indicate that the application intends to use OIDC to verify the user's identity)
   * `profile` (so you can personalize the email with the user's name)
   * `email` (so you know where to send the welcome email)
3. Your Auth0 Authorization Server redirects the user to the login prompt.
4. The user authenticates and sees a consent page listing the scopes Auth0 will give to your app, which include access to their profile information and email address.
5. The user accepts and authorizes your app to have this level of access to their information stored by Auth0.
6. Your app now has access to the user's profile information and email address.

## Standard claims

Standard claims are intended to provide an application with user details, such as name, email, and picture, and are pre-defined for the OIDC protocol. These claims are returned in an ID Token and are also available through the [`/userinfo` endpoint](/docs/api/authentication/user-profile/get-user-info).

You can also create custom claims, which are claims that you define, control, and add to a token using [Auth0 Actions](/docs/customize/actions/actions-overview). To learn more, read [JSON Web Token Claims](/docs/secure/tokens/json-web-tokens/json-web-token-claims).

The basic (and required) scope for OIDC is `openid`, which indicates that an application intends to use the OIDC protocol to verify a user's identity. Beyond that, an application can ask for additional scopes by listing the requested scope names in the `scope` parameter, separated by spaces.

Standard claims included in the most commonly-used scopes are listed below, but for a full list of available standard claims, read [OIDC specification: Standard Claims on openid.net](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). For a full list of Scopes, see [OIDC specification: Requesting Claims Using Scope Values on openid.net](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims).

| Scope     | Claims                                                                                                                                                                                                                                                                               |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `openid`  | (required) Returns the `sub` claim, which uniquely identifies the user. In an ID Token, `iss`, `aud`, `exp`, `iat`, and `at_hash` claims will also be present. To learn more about the ID Token claims, read [ID Token Structure](/docs/secure/tokens/id-tokens/id-token-structure). |
| `profile` | Returns claims that represent basic profile information, including `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `picture`, and `updated_at`.                                                                                                                      |
| `email`   | Returns the `email` claim, which contains the user's email address, and `email_verified`, which is a boolean indicating whether the email address was verified by the user.                                                                                                          |

For an example showing how to request standard claims for your application, read [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims).

## Learn more

* [Sample Use Cases: Scopes and Claims](/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims)
* [Scopes](/docs/get-started/apis/scopes)
* [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims)