A JWT is a compact, URL-safe way to transfer information between two parties. It's an assertion of information about the bearer and subject of the token.The claims in a JWT are Java Script Object Notation (JSON) objects that are encoded and serialized for transmission.
This reference describes the format, security characteristics, and contents of each type of token.You can find more details in the Open ID Connect specification.ey J0e XAi Oi JKV1Qi LCJhb Gci Oi JSUz I1Ni Is Imtp ZCI6Ik1u Q19WWm NBVGZNNXBPWWl KSE1i YTlnb0VLWSJ9Jhd WQi Oi I2Nz Mx ZGU3Ni0x NGE2LTQ5YWUt OTdi Yy02ZWJh Njkx NDM5MWUi LCJpc3Mi Oi Jod HRwczov L2xv Z2lu Lm1p Y3Jvc29md G9ub Glu ZS5jb20v Yjk0MTk4MTgt MDlh Zi00OWMy LWIw Yz Mt Nj Uz YWRj MWYz Nz Zl L3Yy Lj Ai LCJp YXQi Oj E0NTIy ODUz Mz Es Im5i Zi I6MTQ1Mj I4NTMz MSwi ZXhw Ijox NDUy Mjg5Mj Mx LCJu YW1l Ijoi Qm Fi ZSBSd XRo Iiwibm9u Y2Ui Oi Ix Mj M0NSIs Im9p ZCI6Im Ex ZGJk ZGU4LWU0Zjkt NDU3MS1h ZDkz LTMw NTll Mzc1MGQy My Is In By ZWZlcn Jl ZF91c2Vybm Ft ZSI6In Ro ZWdy ZWF0Ym Ft Ymlub0Bue Xkub25ta WNyb3Nv Zn Qu Y29t Iiwic3Vi Ijoi TUY0Zi1n Z1d NRWpp MTJLe W5KVU5RWn Bo YVVUdkxj UXVn NWpk Rj Jub DAx USIs In Rp ZCI6Im I5NDE5ODE4LTA5YWYt NDlj Mi1i MGMz LTY1M2Fk Yz Fm Mzc2ZSIs In Zlci I6Ij Iu MCJ9.p_r Ydrt J1o Cmg DBgg NHB9O38KTn LCMGb MDODdirdm Zbm Jc THi ZDdt Tc-hguu3krhbt Oso YM2HJe ZM3Wsbp_Ycf SKDY--X_Nob MNsxb T7bq ZHx Dn A2j TMyrmt5v2EKUn Ee Vt Si JXy O3JWUq9R0d O-m4o9_8j GP6z Ht R62z Laot TBYHmge Kp Zg TFB9Wt Uq8DVdy Mn_HSv QEfz-LWqckbc Tw M_9RNKo GRVk38KCh VJo4z5Lkks YRar Do8Qg Q7x EKm Ym Pv Rr_I7gv M2bml ZQds2Oeq WLB1NSNb FZqy FOCg Yn3b AQ-n EQSKw Ba A36j YGPOVG2r2Qv1u Kcp SOxzxa Qybz Yp Q Identifies the intended recipient of the token.An ID token is a form of sign-in security token that your app receives when it performs authentication by using Open ID Connect.ID tokens are represented as JWTs, and they contain claims that you can use to sign the user in to your app.You can use the claims in an ID token in various ways.
Typically, admins use ID tokens to display account information or to make access control decisions in an app.
Although a party must authenticate with Azure AD to receive the bearer token, if steps are not taken to secure the token during transmission and storage, it can be intercepted and used by an unintended party.
Some security tokens have a built-in mechanism to prevent unauthorized parties from using them, but bearer tokens do not.
The same security principles apply when storing or caching bearer tokens for later use.
Always ensure that your app securely transmits and stores bearer tokens.
In ID tokens, the audience is your app's Application ID, assigned to your app in the Microsoft Application Registration Portal.