UserInfo Endpoint
The UserInfo endpoint returns profile information about the authenticated user or agent. It is the standard OpenID Connect endpoint for reading the current profile claims associated with an access token.
GET / POST /orgs/{orgId}/api/v1/oauth/userinfo
When to Use UserInfo
The ID token contains user information captured at the moment of authentication. The UserInfo endpoint returns current profile data. Call it when you need to:
- Display a user profile page.
- Sync user data with your database.
- Check current roles and permissions.
- Retrieve claims that aren't in the ID token.
Request
Include the access token in the Authorization header:
curl -X GET https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/userinfo \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Response: User Identity
For regular users authenticated via OAuth:
{
"sub": "12345",
"name": "John Smith",
"email": "john@example.com",
"email_verified": true,
"picture": "https://example.com/avatars/john.jpg",
"roles": ["ROLE_USER", "ROLE_EDITOR"],
"organization": "acme-corp",
"updated_at": 1704063600
}
Response: Agent Identity
For AI agents authenticated via client credentials or workload federation:
{
"sub": "agent_analyst_bot",
"name": "Financial Analyst Bot",
"agent_id": "agt_abc123",
"identity_type": "agent",
"capabilities": [
"read:reports",
"tool:search",
"write:analysis"
],
"workload_identity": "aws:sts:analyst-server",
"organization": "acme-corp",
"budget_policy": {
"max_tokens_per_day": 100000,
"max_api_calls_per_hour": 1000
}
}
Response Fields
Standard OIDC Claims
| Claim | Description | Scope Required |
|---|---|---|
sub | Unique identifier for the user or agent | openid |
name | Full name | profile |
email | Email address | email |
email_verified | Whether the email has been verified | email |
picture | Profile picture URL | profile |
LumoAuth-Specific Claims
| Claim | Description |
|---|---|
roles | Array of roles assigned to the user |
organization | Organization slug the identity belongs to |
identity_type | user or agent |
capabilities | Agent-specific: allowed actions |
workload_identity | Agent-specific: external identity source |
budget_policy | Agent-specific: usage limits |
Related
- Token endpoint — obtain the access token needed to call UserInfo
- Scopes — which claims are returned depends on the scopes granted