<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OIDC Bearer Tokens: List of Reserved Claims
Mar 27, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

Specifying certain claim names on a custom authorization server, adding certain claim names via a token inline hook, or attempting to modify certain claims with a token inline hook will result in an error.

Applies To
  • API Access Management
  • Custom Claims
  • Token Inline Hooks
Cause

Okta defines a number of reserved claims that cannot be overridden.

Solution

When adding a custom claim to a token or modifying a claim, the following reserved claims will not be usable.

Claim NameToken Type
acrAccess Token
amrAccess Token
as_uriAccess Token
cidAccess Token
groupsAccess Token
rptAccess Token
rsiAccess Token
uidAccess Token
usernameAccess Token
activeID Token
aidID Token
audID Token
app_idID Token
app_typeID Token
at_hashID Token
auth_timeID Token
client_idID Token
client_ipID Token
client_req_idID Token
client_typeID Token
client_user_agentID Token
cnfID Token
c_hashID Token
device_complianceID Token
device_idID Token
device_knownID Token
device_managedID Token
device_nameID Token
device_trustID Token
didID Token
dstID Token
groupID Token
hotkID Token
idpID Token
idp_issID Token
mac_keyID Token
may_actID Token
nonceID Token
oidID Token
okta_emailVerifiedID Token
okta_lastUpdatedID Token
origID Token
permissionsID Token
purposeID Token
pwd_exp_daysID Token
pwd_exp_timeID Token
ridID Token
roleID Token
scopeID Token
scopesID Token
sidID Token
subID Token
termID Token
user_ipID Token
issAccess Token & ID Token
jtiAccess Token & ID Token
token_typeAccess Token & ID Token
verAccess Token & ID Token

 

In addition, there are several Scope-dependent claims for the ID Token that can not be used as well. While not technically reserved and therefore modifiable using Token Inline Hooks, they are unusable as custom claims.

Claim NameRequired Scope
nameprofile
nicknameprofile
preferred_usernameprofile
given_nameprofile
middle_nameprofile
family_nameprofile
profileprofile
zoneinfoprofile
localeprofile
updated_atprofile
emailemail
email_verifiedemail
addressaddress
phone_numberphone
groupsgroups

 

Recommended content

Still looking for help?
Loading
OIDC Bearer Tokens: List of Reserved Claims