UserInfo

Fetch verified user claims using the access token from /token.

The ID Token contains no PII. All personal attributes are returned only by /userinfo. Unsupported (requested) standard claims are listed in missing_claims. Verification context is provided in provenance. Evidence is included when the credential source returns it; the object contains a token payload and a semicolon‑delimited names list describing the keys. Keys vary by provider, so always read them from names. Content is relayed from the credential source.

Headers

Authorization

string

default:"Bearer eyJhbGci..."

required

Bearer access token issued by /token.

Responses

sub

string

required

Subject identifier. Stable per source identity across all clients.

acr

string

Authentication Context Class Reference.

hopae_loa

number

Numeric assurance level.

hopae_loa_label

string

Human‑readable assurance label (e.g., substantial).

missing_claims

string[]

Requested standard claims not provided by the source. Always [] for match flows (verification_model: "match").

provider_id

string

Provider identifier that authenticated the subject. Mirrors the single element in amr.

verification_model

string

Always present. One of disclosure (PII under user) or match (comparison envelope under match, with user: null).

user

object | null

Personal attributes (present per granted scopes and source availability). null when verification_model is match.

Show User fields

name

string

Display name

given_name

string

Given nam

family_name

string

Family name

birthdate

string

Birthdate in YYYY-MM-DD

string

Email address

email_verified

boolean

Whether the email is verified

phone_number

string

Phone number in E.164 format

phone_number_verified

boolean

Whether the phone number is verified

address

object | string

Structured address

nationality

string

ISO 3166-1 alpha‑2.

middle_name

string

Middle name(s)

nickname

string

Casual name or handle

preferred_username

string

Preferred username

profile

string

URL of the user’s profile page

picture

string

Base64-encoded image data of the user’s profile picture

gender

string

Gender value

zoneinfo

string

Time zone (IANA)

locale

string

Locale (BCP 47)

updated_at

number

Unix timestamp of last profile update

provenance

object

Verification context for this event.

Show Presentation

provenance.presentation.channel.type

string

centralized_idp, wallet, etc.

provenance.presentation.channel.transport

string

internet, nfc, etc.

provenance.presentation.credentials[]

array

Credentials presented for this verification.

provenance.presentation.credentials[].type

string

Provider identifier used when initiating the verification (for example, smartid).

provenance.presentation.credentials[].issuer.id

string

Issuer identifier.

provenance.presentation.credentials[].issuer.authority_name

string

Issuer display name.

provenance.presentation.credentials[].issuer.is_government

boolean

Government authority flag.

provenance.presentation.credentials[].claims

object

Raw source claims, when available.

provenance.presentation.credentials[].evidence

object

Token evidence object from the source (when provided). Includes token (provider-supplied key/value pairs) and names (semicolon-delimited list of keys present under token).

Show Metadata

provenance._metadata.verification_id

string

Verification session id.

provenance._metadata.verified_at

string

ISO 8601 verification timestamp.

match

object

Match envelope. Present only when verification_model is match.

Show Match fields

match.matched

boolean

Aggregate outcome across all submitted fields.

match.granularity

string

per_field or aggregate. Determines whether details is included.

match.submitted_fields

string[]

Field keys the RP submitted via matchData. Provider-native names — not OIDC-normalised.

match.details

object

Per-field outcomes, keyed by field name. Present only when granularity is per_field. Each entry exposes matched (boolean), submitted_value (RP-supplied value, userinfo only and only on matchData fields), and optionally similarity (0–100) when the upstream verifier provides it. May also carry passthrough verifier keys not in submitted_fields when the upstream provider emits them.

Example

curl -X GET 'https://sandbox.connect.hopae.com/userinfo' \
  -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIs...'

{
  "sub": "otV9EMJr-iG-dj-AHhrCslfdRkUUBQJ1",
  "hopae_loa": 3,
  "hopae_loa_label": "substantial",
  "missing_claims": [
    "email",
    "gender",
    "picture"
  ],
  "user": {
    "birthdate": "1905-04-04",
    "given_name": "OK",
    "family_name": "TESTNUMBER",
    "nationality": "LT",
    "name": "OK TESTNUMBER"
  },
  "provenance": {
    "presentation": {
      "channel": {
        "type": "centralized_idp",
        "transport": "internet"
      },
      "credentials": [
        {
          "type": "smartid",
          "issuer": {
            "id": "urn:hopae:issuer:ee:smartid",
            "authority_name": "SK ID Solutions AS",
            "is_government": false
          },
          "claims": {
            "documentNumber": "PNOLT-40504040001-MOCK-Q",
            "birthdate": "1905-04-04",
            "countryCode": "LT",
            "givenName": "OK",
            "surname": "TESTNUMBER"
          },
          "evidence": {
            "token": {
              "id_token": "<BASE64_ID_TOKEN>",
              "expires_at": "2025-10-31T05:43:14.000Z",
              "access_token": "<OPAQUE_ACCESS_TOKEN>",
              "token_type": "Bearer"
            },
            "names": "id_token;expires_at;access_token;token_type"
          }
        }
      ]
    },
    "_metadata": {
      "verification_id": "3162dd47a26b4218b5fa708761889e44",
      "verified_at": "2025-10-28T06:20:36.992Z"
    }
  }
}

{
  "sub": "dZwCCSTLVMlJlXKTgSERCsApC7OUnBKT",
  "amr": ["id-nik-match"],
  "provider_id": "id-nik-match",
  "verification_model": "match",
  "hopae_loa": 1,
  "hopae_loa_label": "none",
  "missing_claims": [],
  "user": null,
  "provenance": {
    "presentation": {
      "channel": { "type": "centralized_idp", "transport": "internet" },
      "credentials": [
        {
          "type": "id-nik-match",
          "claims": {
            "fullName": true,
            "dateOfBirth": true,
            "nationalIdNo": true
          },
          "issuer": {
            "authority_name": "Directorate General of Population and Civil Registration (Dukcapil)",
            "is_government": true
          },
          "evidence": {
            "token": {
              "integrator_jws": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
              "token_type": "integrator"
            },
            "names": "integrator_jws;token_type"
          }
        }
      ]
    },
    "_metadata": {
      "verification_id": "f34e2801c3914b3284f2829ea48eeafc",
      "verified_at": "2026-04-26T15:56:11.110Z",
      "status": "completed"
    }
  },
  "match": {
    "matched": true,
    "granularity": "per_field",
    "submitted_fields": ["fullName", "dateOfBirth"],
    "details": {
      "fullName":    { "matched": true, "submitted_value": "Test User" },
      "dateOfBirth": { "matched": true, "submitted_value": "1990-01-01" }
    }
  }
}

Evidence keys are provider-specific. Inspect names to determine which fields are present under evidence.token.

For match providers, provenance.presentation.credentials[].claims carries the upstream IDP response verbatim — typically per-field boolean confirmation from the source authority. This is the audit record of what the source agreed with, not a duplicate of match.details.

Overview

OIDC

REST API

Headers

Responses

Example

Overview

OIDC

REST API

Documentation Index

​Headers

​Responses

​Example

Headers

Responses

Example