logto-io · wangsijie · May 25, 2026 · May 25, 2026 · May 25, 2026
diff --git a/docs/integrate-logto/protected-app.mdx b/docs/integrate-logto/protected-app.mdx
@@ -166,6 +166,23 @@ app.get('/', (req, res) => {
 app.listen(3000);
 ```
 
+## Customize ID token claims \{#customize-id-token-claims}
+
+By default, the `Logto-ID-Token` header includes standard OIDC claims (for example `sub`, `name`, and `email`). To include [extended claims](/developers/custom-id-token#extended-claims) such as roles or organization data, both of the following must be configured:
+
+1. **Tenant toggle**: Enable the claim in <CloudLink to="/customize-jwt">Console > Custom JWT > ID token</CloudLink>.
+2. **Protected App scopes**: In your Protected App settings, select the matching scope under **ID token claims** > **Additional scopes**.
+
+Extended claims are included in the forwarded ID token only when the claim is enabled in Custom JWT and the corresponding scope is selected for the Protected App. See [Custom ID token](/developers/custom-id-token) for the full list of extended scopes and claims.
+
+| Scope                                | Claims                               |
+| ------------------------------------ | ------------------------------------ |
+| `custom_data`                        | `custom_data`                        |
+| `identities`                         | `identities`, `sso_identities`       |
+| `roles`                              | `roles`                              |
+| `urn:logto:scope:organizations`      | `organizations`, `organization_data` |
+| `urn:logto:scope:organization_roles` | `organization_roles`                 |
+
 ## Get the original host \{#get-the-original-host}
 
 If you need to get the original host requested by the client, you can use the `Logto-Host` or `x-forwarded-host` header.