This documentation is for WSO2 API Manager 2.5.0. View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Tested and updated for 2.5.0


You can use WSO2 API Manager to obtain basic profile information about the user who generates the access token. To obtain this information, the openid scope needs to be passed, when generating the access token. API manager will send a JWT which contains information about the user who is generating the who generates the token, as part of the response for this request. You can configure the information returned with the JWT token.


  1. Obtain a token using password grant type and openid scope. For more information on token generation with password grant type, see Password Grant Type. The format of the cURL curl command and a sample is given below :

    Localtab Group
    Code Block
    curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
    Code Block
    curl -k -d "grant_type=password&username=testuser&password=testuserpassword&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded"

    You will receive a response in the fowmat format shown below. Note that the id_token parameter contains the JWT related to user information.

    Code Block
      "access_token": "83705add-d77e-3cc8-9b6a-53d210ed3fed",
      "refresh_token": "4b283fb8-942f-316d-ba90-44b4c76ae419",
      "scope": "openid",
      "id_token": "eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiY1hoV0l2SXdSYlBnVDBBTG1hekpIUSIsImFjciI6InVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiLCJzdWIiOiJzdWJzY3JpYmVyQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJLb05EbGVTckYzbmFYV3doYXZhbzRiQm9NWWNhIl0sImF6cCI6IktvTkRsZVNyRjNuYVhXd2hhdmFvNGJCb01ZY2EiLCJvcmdhbml6YXRpb24iOiJXU08yIiwiaXNzIjoiaHR0cHM6XC9cLzE3Mi4xNi4yLjExMTo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTExOTUwNDEzLCJpYXQiOjE1MTE5NDY4MTMsImVtYWlsIjoic3ViMUBnbWFpbC5jb20ifQ.gdj0jn4PX5R4j5Y0ZNyEwi2G-NPq3_iW89NqkRxeszdcMLvDP-ncRWMaYyUYc-bQqADekTdQUC6ACSVUlJBKau3Oy8uu-AO8pajIm-hWEX_PBqoMRtFztxggmKFaL6G0rdRBIu8LzL5lbX2cTKss_zYwNmcPDsKDWdQDmL089Wg",
      "token_type": "Bearer",
      "expires_in": 3600
  2. The following two options are available to view the actual user information.
    Table of Contents

Decoding the id_token

By decoding the id_token, a payload similar to the following can be obtained, with user information such as email, organization, etc. 

Code Block
  "at_hash": "cXhWIvIwRbPgT0ALmazJHQ",
  "acr": "urn:mace:incommon:iap:silver",
  "sub": "[email protected]",
  "aud": [
  "azp": "KoNDleSrF3naXWwhavao4bBoMYca",
  "organization": "WSO2",
  "iss": "",
  "exp": 1511950413,
  "iat": 1511946813,
  "email": "[email protected]"

For an online tool to decode the JWT, go to 

Invoking the userinfo endpoint

You can obtain user information as a payload by invoking the userinfo endpoint with the access token obtained in step 1. The format of the cURL curl command and a sample is given below