--- title: /oauth2/userinfo description: The /oauth2/userinfo endpoint is the OpenID Connect (OIDC) UserInfo endpoint. component: pingam version: 8.1 page_id: pingam:am-oidc1:rest-api-oidc-userinfo-endpoint canonical_url: https://docs.pingidentity.com/pingam/8.1/am-oidc1/rest-api-oidc-userinfo-endpoint.html keywords: ["OpenID Connect (OIDC)", "Standards", "Endpoints"] page_aliases: ["oidc1-guide:rest-api-oidc-userinfo-endpoint.adoc"] section_ids: subject_claims: Subject claims response_signing_and_encryption: Response signing and encryption --- # /oauth2/userinfo The `/oauth2/userinfo` endpoint is the OpenID Connect (OIDC) [UserInfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). Use this endpoint to request claims about the authenticated end user. Specify the realm in the request URL; for example: ```none https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/userinfo ``` To access the endpoint, use an access token from an OIDC grant flow as the bearer token. The endpoint returns claims based on the scopes granted for the access token as in the following example: ```bash $ curl \ --request GET \ --header "Authorization: Bearer " \ "https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/userinfo" { "name": "Babs Jensen", "family_name": "Jensen", "given_name": "Babs", "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da", "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da" } ``` ## Subject claims The subject claim is in the format `(type!subject)`, where: * `subject` is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token. * `type` can be one of the following: * `age`. Indicates the *subject* is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client. * `usr`. Indicates the *subject* is a user/identity. For example, `(usr!bjensen)`, or `(age!myOAuth2Client)`. The value of the `subname` claim matches the value of the *subject* portion of the `sub` claim. ## Response signing and encryption The default response is a plain JSON object. AM also supports responding with a signed JSON Web Token (JWT) or signed and encrypted JWT. JWT responses include the `aud` and `iss` claims. To enable signing and encryption, follow these steps: 1. In the AM admin UI, go to Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID* > Signing and Encryption and select the response type in the User info response format drop-down list. 2. If necessary, configure the signing and encryption properties: User info signed response algorithm\ User info encrypted response algorithm\ User info encrypted response encryption algorithm 3. Save your work. 4. To restrict the possible settings for the clients in the realm, edit the settings under Realms > *realm name* > Services > OAuth2 Provider > Advanced OpenID Connect. 5. Save your work. For details, refer to the OAuth 2.0 provider reference documentation for [advanced OIDC settings](../setup/services-configuration.html#global-oauth-oidc-advanced-openid-connect) and to [Secret label default mappings](../security/secret-mapping.html#secret-label-mappings).