From b3abc0c804d293d0c4647d562c1c896f88ae42de Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Mon, 25 May 2026 01:21:51 +0000 Subject: [PATCH 1/2] docs: document Protected App additional ID token scopes Document the ID token claims configuration introduced for Protected Apps. Cross-reference Custom JWT settings and the existing custom ID token guide. Co-authored-by: sijiewg --- docs/integrate-logto/protected-app.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/integrate-logto/protected-app.mdx b/docs/integrate-logto/protected-app.mdx index 5a9fb3a27a7..bc3852a3f5e 100644 --- a/docs/integrate-logto/protected-app.mdx +++ b/docs/integrate-logto/protected-app.mdx @@ -166,6 +166,23 @@ app.get('/', (req, res) => { app.listen(3000); ``` +## Customize ID token claims \{#customize-id-token-claims} + +By default, the `Logto-ID-Token` header includes standard OIDC claims (for example `sub`, `name`, and `email`). To include [extended claims](/developers/custom-id-token#extended-claims) such as roles or organization data, both of the following must be configured: + +1. **Tenant toggle**: Enable the claim in Console > Custom JWT > ID token. +2. **Protected App scopes**: In your Protected App settings, select the matching scope under **ID token claims** > **Additional scopes**. + +Extended claims are included in the forwarded ID token only when the claim is enabled in Custom JWT and the corresponding scope is selected for the Protected App. See [Custom ID token](/developers/custom-id-token) for the full list of extended scopes and claims. + +| Scope | Claims | +| ------------------------------------ | ------------------------------ | +| `custom_data` | `custom_data` | +| `identities` | `identities`, `sso_identities` | +| `roles` | `roles` | +| `urn:logto:scope:organizations` | `organizations`, `organization_data` | +| `urn:logto:scope:organization_roles` | `organization_roles` | + ## Get the original host \{#get-the-original-host} If you need to get the original host requested by the client, you can use the `Logto-Host` or `x-forwarded-host` header. From f7963fece659e05cda014914ace0536ca58cac45 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Mon, 25 May 2026 01:30:26 +0000 Subject: [PATCH 2/2] style: fix protected-app.mdx table formatting for prettier --- docs/integrate-logto/protected-app.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/integrate-logto/protected-app.mdx b/docs/integrate-logto/protected-app.mdx index bc3852a3f5e..1b649913a01 100644 --- a/docs/integrate-logto/protected-app.mdx +++ b/docs/integrate-logto/protected-app.mdx @@ -175,13 +175,13 @@ By default, the `Logto-ID-Token` header includes standard OIDC claims (for examp Extended claims are included in the forwarded ID token only when the claim is enabled in Custom JWT and the corresponding scope is selected for the Protected App. See [Custom ID token](/developers/custom-id-token) for the full list of extended scopes and claims. -| Scope | Claims | -| ------------------------------------ | ------------------------------ | -| `custom_data` | `custom_data` | -| `identities` | `identities`, `sso_identities` | -| `roles` | `roles` | +| Scope | Claims | +| ------------------------------------ | ------------------------------------ | +| `custom_data` | `custom_data` | +| `identities` | `identities`, `sso_identities` | +| `roles` | `roles` | | `urn:logto:scope:organizations` | `organizations`, `organization_data` | -| `urn:logto:scope:organization_roles` | `organization_roles` | +| `urn:logto:scope:organization_roles` | `organization_roles` | ## Get the original host \{#get-the-original-host}