IdP: issued token

The Identity Provider (IdP) issues a signed OpenVPT JWT in response to the platform request. The token includes the platform audience (aud) and the one-time challenge (nonce) to bind it to the requesting platform and this specific session.

Issued JWT (OpenVPT token)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ijc0MWYyYTU5ZDIzOWIwODMifQ.eyJpYXQiOjE3NzE5NDU1ODksImV4cCI6MTc3MTk0NTg4OSwianRpIjoiNTdkY2IxYjMtNGVjMS00ZDMxLTkzNjktZjY0YmQyYzJhYzIwIiwiaXNzIjoiaHR0cHM6Ly9vcGVudnB0LmRldi9kZW1vLWlkcCIsImlzc3VlciI6Imh0dHBzOi8vb3BlbnZwdC5kZXYvZGVtby1pZHAiLCJzdWIiOiJiNmFlOWQ2OTViNzgyODI3YzVjZmMyMzdkNjE4YjA0NmI1MWM2NTEzOWIxZWE2NjNiNzI3Njk2YWY4YjY2NTgxIiwiYXVkIjoiaHR0cHM6Ly9vcGVudnB0LmRldiIsIm5vbmNlIjoiY1FQbDZITjNaaWk0Q3VobEdrM3U2Uzd3VHhVeGVGODIiLCJwb2xpY3lfcHJvZmlsZSI6Im9wZW52cHQtc2FuZGJveCIsImlzc3Vlcl9jb3VudHJ5IjoiQ1oiLCJpc3N1ZXJfdHlwZSI6ImRlbW8iLCJhc3N1cmFuY2VfbGV2ZWwiOiJzdWJzdGFudGlhbCIsInJlYWxfcGVyc29uIjp0cnVlLCJhZ2VfYnJhY2tldCI6IjE4KyIsInRydXN0X2xldmVsIjozLCJsb2EiOiJzdWJzdGFudGlhbCJ9.c8rSup-vkp8pS2CjSDP7OAjKSs6roLoc_sbKnqQm4jyEkpwVgXtzEMj7GwiOSBQVQkP9ogXJcM_hDzzGr9vTlkfEns-voddxDCGXAKvlfy9F6UsmRNNSui7CFt7DlEW1mkfE-wmgyqdNMMo_7KLmEPC-nARksO5RzXEpJ845quwIWG1I6ASLhgbxb36SXkbkmY61bH8-hrhP6zcVqc0nvE9M4_XNrW5NGmj0wBhC3YAs-zTgljlUAOnpYHYgOctijebHuzGrtgVyWbyU8NE0QwanJ817TSo9CwkOeY1noBaYHhiqNxasC3Fw9cRa1LZvBewfX5K9E1dhW1Blh6t73Q

The platform will validate signature + aud + nonce and then store only a minimal binding.

What the IdP is doing

Issues a signed token

The IdP creates a JWT and cryptographically signs it. This signature allows the platform to verify authenticity without contacting the IdP again during verification.

Binds the token to the platform (aud)

The aud claim ensures the token is valid only for the requesting platform. Even if copied, it must be rejected by any other service.

Binds the token to this request (nonce)

The nonce is echoed back inside the signed token, proving the token is fresh and was minted specifically in response to the platform’s one-time challenge.

Returns state unchanged

The IdP does not interpret state. It simply returns it so the platform can safely match the response to the original user session and prevent cross-session attacks.

Privacy note

The token contains only policy-relevant claims (personhood / age bracket / trust level), not identity data like name, date of birth, or ID number.