---
title: CTS token types
description: The Core Token Service (CTS) uses a generic LDAP schema for all token types.
component: pingam
version: 8
page_id: pingam:am-reference:cts-token-types
canonical_url: https://docs.pingidentity.com/pingam/8/am-reference/cts-token-types.html
keywords: ["CTS Store (Sessions & Tokens)"]
page_aliases: ["reference:cts-token-types.adoc"]
section_ids:
oauth2-grant-set-tokens: OAuth 2.0 grant-set tokens
ldap_attributes: LDAP attributes
token_examples: Token examples
client-side-oauth2-tokens: Client-side OAuth 2.0 tokens
ldap_attributes_2: LDAP attributes
token_examples_2: Token examples
server-side-oauth2-tokens: Server-side OAuth 2.0 tokens
ldap_attributes_3: LDAP attributes
token_examples_3: Token examples
other-oauth2-tokens: Other OAuth 2.0 tokens
ldap_attributes_4: LDAP attributes
token_examples_4: Token examples
saml2-tokens: SAML 2.0 tokens
ldap_attributes_5: LDAP attributes
token_examples_5: Token examples
session-tokens: Session tokens
ldap_attributes_6: LDAP attributes
token_examples_6: Token examples
notification-tokens: Notification tokens
ldap_attributes_7: LDAP attributes
token_example: Token example
---
# CTS token types
The Core Token Service (CTS) uses a generic LDAP schema for all token types.
The following sections provide information about the different token types, including what LDAP attributes they use, the data stored in those attributes, and example token formats:
* [OAuth 2.0 grant-set tokens](#oauth2-grant-set-tokens)
* [Client-side OAuth 2.0 tokens](#client-side-oauth2-tokens)
* [Server-side OAuth 2.0 tokens](#server-side-oauth2-tokens)
* [Other OAuth 2.0 tokens](#other-oauth2-tokens)
* [SAML 2.0 tokens](#saml2-tokens)
* [Session tokens](#session-tokens)
* [Notification tokens](#notification-tokens)
| | |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | You can use this information to query the CTS using [LDAP searches](https://docs.pingidentity.com/pingds/8/ldap-guide/search-ldap.html).For example, if you want to list user OAuth 2.0 refresh tokens, you can filter on `coreTokenString03=user` and `coreTokenString10=refresh_token`. |
## OAuth 2.0 grant-set tokens
OAuth 2.0 grant-set tokens are created when the [grant-set](../cts/cts-tuning-considerations.html#cts-oauth2-storage-scheme) scheme is used.
The grant-set acts as a container for all authorizations:
* Client-side access code tokens and grant tokens.
* Server-side access code tokens, access tokens, and refresh tokens.
### LDAP attributes
| LDAP attribute | OAuth 2.0 grant-set token |
| ---------------------- | ------------------------------------------------------------------------------------------------- |
| coreTokenUserId | |
| coreTokenType | `OAUTH2_GRANT_SET` |
| coreTokenString01 | |
| coreTokenString02 | |
| coreTokenString03 | *user* |
| coreTokenString04 | |
| coreTokenString05 | |
| coreTokenString06 | |
| coreTokenString07 | |
| coreTokenString08 | *realm* |
| coreTokenString09 | *client ID* |
| coreTokenString10 | |
| coreTokenString11 | |
| coreTokenString12 | |
| coreTokenString13 | |
| coreTokenString14 | |
| coreTokenString15 | |
| coreTokenString16 | |
| coreTokenMultiString03 | *JSON representation of the OAuth 2.0 grant (access codes, refresh tokens, and access tokens)*(1) |
(1) The following abbreviations are used in this JSON representation:
* `g`: Unique identifier for the grant in the CTS
* `gx`: Grant expiry time
* `_s`: Scope
* `a`: Authorization code
* `ax`: Authorization code expiry time
* `asi`: Journey session ID token
* `aati`: Audit tracking ID
* `au`: Redirect URI
* `ast`: State
* `_am`: Authentication node in AM
* `_acr`: Authentication context class reference, if applicable
* `gt`: Grant type, if applicable
### Token examples
> **Collapse: Client-side grant-set token**
>
> ```bash
> dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: frCoreToken
> objectClass: top
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk
> coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]}
> coreTokenMultiString03: {"g":"C7mzozs1XJKVvCT63JwQatoI-og.Xf_gOFNZOeGcY6ZLnGxX11N9NKQ","gx":1579098268014,"_s":["read"],"a":"C7mzozs1XJKVvCT63JwQatoI-og.BXUyATQtb9GoyrFvAacc6b20S4A","ax":1578489985511,"aati":"0e4db3cf-14e5-4d44-9f36-8e2fc6ac78a6-15583","ai":true,"an":"123456","au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"eHI6","_am":"DataStore","_acr":"0","r":"C7mzozs1XJKVvCT63JwQatoI-og.IbiBbTo1bCKelDu4hj5tb_2qbrk","gt":[]}
> coreTokenString03: bjensen
> coreTokenString08: /myRealm
> coreTokenString09: myClient
> coreTokenType: OAUTH2_GRANT_SET
> ```
> **Collapse: Server-side grant-set token**
>
> ```bash
> dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: frCoreToken
> objectClass: top
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U
> coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"https://example.com","asi":"AQIC5w...2NzEz*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]}
> coreTokenString03: bjensen
> coreTokenString08: /myRealm
> coreTokenString09: myClient
> coreTokenType: OAUTH2_GRANT_SET
> ```
## Client-side OAuth 2.0 tokens
* Access code tokens
Client-side access code tokens are created when the [one-to-one](../cts/cts-tuning-considerations.html#cts-oauth2-storage-scheme) scheme is used.
They are used in the OAuth 2.0 authorization code flow and in the OIDC authorization code and hybrid flows. They provide the state for the code used by the client to retrieve an access token.
Additionally, the value of the access code is used to form the unique identity of the subsequent grant token.
* OAuth 2.0 grant tokens
Client-side OAuth 2.0 grant tokens are created when the [one-to-one](../cts/cts-tuning-considerations.html#cts-oauth2-storage-scheme) scheme is used.
They replace individual access and refresh tokens with a single token indicating that a grant took place. This prevents additional data from being written to the CTS when a new access token is issued based on an existing refresh token with an existing grant ID. They use the grant ID value from the preceding access code if this token was generated with the OAuth 2.0 authorization code flow.
The grant ID in the client-side OAuth 2.0 JWT matches the DN of the token in the CTS.
### LDAP attributes
| LDAP attribute | Client-side access code token | Client-side OAuth 2.0 grant token |
| ----------------- | ----------------------------------------------------- | -------------------------------------------- |
| coreTokenUserId | | *user* |
| coreTokenType | `OAUTH` | `OAUTH2_STATELESS_GRANT` |
| coreTokenString01 | *scopes* | |
| coreTokenString02 | | |
| coreTokenString03 | *user* | |
| coreTokenString04 | *redirect\_uri* | *client ID* |
| coreTokenString05 | | |
| coreTokenString06 | `true` (when the code is used and consent is granted) | *scope* |
| coreTokenString07 | `Bearer` | |
| coreTokenString08 | *realm* | |
| coreTokenString09 | *client ID* | |
| coreTokenString10 | `access_code` | |
| coreTokenString11 | *nonce* | *realm* |
| coreTokenString12 | | *jti* |
| coreTokenString13 | | *refresh token ID*(1) |
| coreTokenString14 | | |
| coreTokenString15 | *grant ID* | |
| coreTokenString16 | | |
| coreTokenDate01 | | *grace period end time for refresh token*(1) |
(1) These attributes are only populated when there's been at least one successful attempt to use a refresh token and the [refresh token grace period](../am-oauth2/oauth2-refresh-tokens.html#settings_for_refresh_tokens) is enabled.
### Token examples
> **Collapse: Client-side access code token**
>
> ```bash
> dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"ssoTokenId":["AQIC5w...2NzEz*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":[],"code_challenge_method":[],"userName":["bjensen"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
> coreTokenString11: abcdef
> coreTokenString01: openid,profile
> coreTokenString10: access_code
> coreTokenString04: https://example.com
> coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143
> coreTokenString03: bjensen
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenString08: /myRealm
> coreTokenString09: myClient
> coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503
> coreTokenString06: true
> coreTokenString07: Bearer
> coreTokenType: OAUTH
> ```
> **Collapse: Client-side OAuth 2.0 grant token**
>
> ```bash
> dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {}
> coreTokenString11: /myRealm
> coreTokenString04: myClient
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenUserId: bjensen
> coreTokenId: f58f19f9-7f3f-43db-be90-466643414143
> coreTokenString06: openid,profile
> coreTokenType: OAUTH2_STATELESS_GRANT
> ```
>
> An example access token issued from this CTS grant token:
>
> ```json
> {
> "sub": "bjensen",
> "auth_level": 0,
> "auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae",
> "iss": "https://am.example.com:8443/am/oauth2/myRealm",
> "tokenName": "access_token",
> "token_type": "Bearer",
> "authGrantId": "f58f19f9-7f3f-43db-be90-466643414143",
> "nonce": "abcdef",
> "aud": "myClient",
> "nbf": 1523281312,
> "grant_type": "authorization_code",
> "scope": [
> "openid",
> "profile"
> ],
> "auth_time": 1523281311000,
> "realm": "/myRealm",
> "exp": 1523284912,
> "iat": 1523281312,
> "expires_in": 3600,
> "jti": "c35e5c2a-081b-417f-82c5-2708781816d6"
> }
> ```
## Server-side OAuth 2.0 tokens
* Access tokens
Server-side OAuth 2.0 access tokens are created when the [one-to-one](../cts/cts-tuning-considerations.html#cts-oauth2-storage-scheme) scheme is used.
They are used in all OAuth 2.0 and OIDC flows and are issued when the OAuth 2.0 provider uses server-side tokens.
These tokens are typically short-lived.
* Refresh tokens
Server-side OAuth 2.0 refresh tokens are created when the [one-to-one](../cts/cts-tuning-considerations.html#cts-oauth2-storage-scheme) scheme is used.
They are used in the OAuth 2.0 authorization code grant and resource owner password credentials flows and in the OIDC authorization code and hybrid flows. They are issued when the OAuth 2.0 provider uses server-side tokens.
These tokens are often long-lived and exchanged for access tokens by clients.
### LDAP attributes
| LDAP attribute | Server-side OAuth 2.0 access token | Server-side OAuth 2.0 refresh token |
| ----------------- | ---------------------------------- | ----------------------------------- |
| coreTokenUserId | | |
| coreTokenType | `OAUTH` | `OAUTH` |
| coreTokenString01 | *scopes* | *scopes* |
| coreTokenString02 | | |
| coreTokenString03 | *user* | *user* |
| coreTokenString04 | *redirect\_uri* | *redirect\_uri* |
| coreTokenString05 | | |
| coreTokenString06 | | |
| coreTokenString07 | `Bearer` | `Bearer` |
| coreTokenString08 | *realm* | *realm* |
| coreTokenString09 | *client ID* | *client ID* |
| coreTokenString10 | `access_token` | `refresh_token` |
| coreTokenString11 | *nonce* | |
| coreTokenString12 | *grant type* | *grant type* |
| coreTokenString13 | | |
| coreTokenString14 | | |
| coreTokenString15 | *grant ID* | *grant ID* |
| coreTokenString16 | | |
### Token examples
> **Collapse: Server-side OAuth 2.0 access token**
>
> ```bash
> dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenString11: abcdef
> coreTokenObject: {"redirectURI":["https://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["bjensen"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]}
> coreTokenString12: authorization_code
> coreTokenString01: openid,profile
> coreTokenString10: access_token
> coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
> coreTokenString04: https://example.com
> coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5
> coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c
> coreTokenString03: bjensen
> coreTokenString08: /myRealm
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenString09: myClient
> coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628
> coreTokenString07: Bearer
> coreTokenType: OAUTH
> ```
> **Collapse: Server-side OAuth 2.0 refresh token**
>
> ```bash
> dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {"redirectURI":["https://example.com"],"clientID":["myClient"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":[],"userName":["bjensen"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/myRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]}
> coreTokenString12: authorization_code
> coreTokenString01: openid,profile
> coreTokenString10: refresh_token
> coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
> coreTokenString04: https://example.com
> coreTokenString03: bjensen
> coreTokenString08: /myRealm
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenString09: MyClient
> coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5
> coreTokenString07: Bearer
> coreTokenType: OAUTH
> ```
## Other OAuth 2.0 tokens
* OIDC operations (OPS) tokens
OIDC OPS tokens provide a link between the OIDC ID token and the authenticated session that generated it. They contain a copy of the user's SSO token. This can make the token large when used with a realm that uses client-side sessions.
These tokens are issued by the authorization code and implicit flows when the `openid` scope is requested, and session management is enabled in the OAuth 2.0 provider. You can disable [session management](services-configuration.html#enable-session-management) in the OAuth 2.0 provider if you don't use the `endSession` and `checkSession` endpoints; disabling session management reduces the load on the CTS.
* OAuth 2.0 device code tokens
OAuth 2.0 device code tokens are used to persist the code in the device code flow. The format is the same whether client-side tokens are used or not, and they are typically short-lived.
### LDAP attributes
| LDAP attribute | OIDC OPS token | OAuth 2.0 device code token |
| ----------------- | -------------- | --------------------------- |
| coreTokenUserId | | |
| coreTokenType | **OAUTH** | **OAUTH** |
| coreTokenString01 | | *scopes* |
| coreTokenString02 | | |
| coreTokenString03 | | *user* |
| coreTokenString04 | | |
| coreTokenString05 | | |
| coreTokenString06 | | |
| coreTokenString07 | | |
| coreTokenString08 | | *realm* |
| coreTokenString09 | | *client ID* |
| coreTokenString10 | | `device_code` |
| coreTokenString11 | | |
| coreTokenString12 | | |
| coreTokenString13 | | |
| coreTokenString14 | | *device\_code* |
| coreTokenString15 | | |
| coreTokenString16 | | |
### Token examples
> **Collapse: Server-side session realm OPS token**
>
> ```bash
> dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]}
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be
> coreTokenType: OAUTH
> ```
> **Collapse: Client-side session realm OPS token**
>
> ```bash
> dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4S...PXN0YXRlbGVzc3JlYWx...kyNgACUzEAAjAx*"],"expireTime":["1502145569471"]}
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3
> coreTokenType: OAUTH
> ```
> **Collapse: Device code token**
>
> ```bash
> dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenObject: {"clientID":["myClient"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/myRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["bjensen"],"AUTHORIZED":["true"]}
> coreTokenString01: profile
> coreTokenString10: device_code
> coreTokenString14: PDRxhXht
> coreTokenString03: bjensen
> coreTokenString08: /myRealm
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenString09: myClient
> coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f
> coreTokenType: OAUTH
> ```
## SAML 2.0 tokens
* SAML 2.0 tokens
SAML 2.0 tokens are only saved to the CTS when SAML 2.0 failover is enabled, which it is by default.
* Assertion tokens
Assertions are saved to the CTS when SAML 2.0 failover is enabled, the [Assertion Cache](../am-saml2/saml2-reference.html#assertion-cache) is enabled for the IdP, and AM is acting as the IdP.
* AuthnRequest tokens
AuthnRequests are saved to the CTS when SAML 2.0 failover is enabled and AM is acting as the SP.
The `coreTokenObject` can be either JSON or a base64 encoded string.
### LDAP attributes
| LDAP attribute | SAML 2.0 token | SAML 2.0 assertion token | SAML 2.0 AuthnRequest token |
| ----------------- | ----------------------------------------------- | ------------------------ | ----------------------------------------------------- |
| coreTokenUserId | | | |
| coreTokenType | `SAML2` | `SAML2` | `SAML2` |
| coreTokenString01 | `com.sun.identity.saml2.profile.IDPSessionCopy` | `java.lang.String` | `com.sun.identity.saml2.profile.AuthnRequestInfoCopy` |
| coreTokenString02 | | | |
| coreTokenString03 | | | |
| coreTokenString04 | | | |
| coreTokenString05 | | | |
| coreTokenString06 | | | |
| coreTokenString07 | | | |
| coreTokenString08 | | | |
| coreTokenString09 | | | |
| coreTokenString10 | | | |
| coreTokenString11 | | | |
| coreTokenString12 | | | |
| coreTokenString13 | | | |
| coreTokenString14 | | | |
| coreTokenString15 | | | |
| coreTokenString16 | | | |
### Token examples
> **Collapse: SAML 2.0 token**
>
> ```bash
> dn: coreTokenId=733237633231656432303961383835626662623039343434653564666532323964366632376466343032,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenId: 733237633231656432303961383835626662623039343434653564666532323964366632376466343032
> coreTokenType: SAML2
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenObject:: eyJkb0xvZ291dEFsbCI6ZmFsc2UsIm1ldGFBbGlhcyI6Ii9pZHAiLCJuYW1lSURhbmRTUHBhaXJzIjpbeyJuYW1lSUQiOnsiQGNsYXNzIjoiY29tLnN1bi5pZGVudGl0eS5zYW1sMi5hc3NlcnRpb24uaW1wbC5OYW1lSURJbXBsIiwiZm9ybWF0IjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIsImlzTXV0YWJsZSI6dHJ1ZSwibmFtZVF1YWxpZmllciI6Imh0dHBzOi8vaWRwLmV4YW1wbGUuY29tOjQ0My9pZHAiLCJzcE5hbWVRdWFsaWZpZXIiOiJodHRwczovL3NwLmV4YW1wbGUuY29tOjg0NDMvc3AiLCJzcFByb3ZpZGVkSUQiOm51bGwsInZhbHVlIjoiK3h4dXQxc3BCR0lWUWJLMDJMbHBNTUhDS1loVyJ9LCJzcEVudGl0eUlEIjoiaHR0cHM6Ly9zcC5leGFtcGxlLmNvbTo4NDQzL3NwIn1dLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RCaW5kaW5nIjpudWxsLCJvcmlnaW5hdGluZ0xvZ291dFJlcXVlc3RJRCI6bnVsbCwib3JpZ2luYXRpbmdMb2dvdXRTUEVudGl0eUlEIjpudWxsLCJwZW5kaW5nTG9nb3V0UmVxdWVzdElEIjpudWxsLCJzc29Ub2tlbklEIjoiVWxNY0luVlVfR1VnWEdHbTdwTTA0R2h1WHdvLipBQUpUU1FBQ01ETUFBbE5MQUJ4dldYTlNkbTE0U1cxVUszUnpOVkJLVjFwcU5FODJaVGxxYWpnOUFBUjBlWEJsQUFORFZGTUFBbE14QUFJd01nLi4qIn0
> coreTokenString01: com.sun.identity.saml2.profile.IDPSessionCopy
> ```
>
> If the `coreTokenObject` is a string, you can base64 decode it. For example, the above string decodes as follows:
>
> ```json
> {
> "doLogoutAll":false,
> "metaAlias":"/idp",
> "nameIDandSPpairs":[
> {
> "nameID":{
> "@class":"com.sun.identity.saml2.assertion.impl.NameIDImpl",
> "format":"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
> "isMutable":true,
> "nameQualifier":"https://idp.example.com:443/idp",
> "spNameQualifier":"https://sp.example.com:8443/sp",
> "spProvidedID":null,
> "value":"+xxut1spBGIVQbK02LlpMMHCKYhW"
> },
> "spEntityID":"https://sp.example.com:8443/sp"
> }
> ],
> "originatingLogoutRequestBinding":null,
> "originatingLogoutRequestID":null,
> "originatingLogoutSPEntityID":null,
> "pendingLogoutRequestID":null,
> "ssoTokenID":"UlMcInVU_GUgXGGm7pM04GhuXwo.*AAJTSQACMDMAAlNLABxvWXNSdm14SW1UK3RzNVBKV1pqNE82ZTlqajg9AAR0eXBlAANDVFMAAlMxAAIwMg..*"
> }
> ```
> **Collapse: Assertion token**
>
> ```bash
> dn: coreTokenId=4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> control: 1.3.6.1.4.1.36733.2.1.5.1 false: bcb3efeb-14a9-47be-8716-9c18918322c8-19593/8
> changetype: add
> objectClass: frCoreToken
> objectClass: top
> coreTokenId: 4141514141465630674d52516d69643478435642777932316a714463507a5733566f62703738524a624b36523866755737303567545070624d44453d
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenType: SAML2
> coreTokenObject: "IdP\n\n\n\nIdP\nL+OjhuzCtalCRDSox+F3eMcjxjt2\n\n\n\nSP\n\n\nurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\n"
> coreTokenString01: java.lang.String
> ```
> **Collapse: AuthnRequest token**
>
> ```bash
> dn: coreTokenId=733230323466363833626637636133316239333932316532616263653035616164656531323931613964,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: frCoreToken
> objectClass: top
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: 733230323466363833626637636133316239333932316532616263653035616164656531323931613964
> coreTokenObject: {"authnRequest":"\nhttps://am.example.com:8443/am\n\nurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\n","idpEntityID":"myIdP","paramsMap":{"binding":["HTTP-POST"]},"realm":"/myRealm","relayState":null,"spEntityID":"mySP"}
> coreTokenString01: com.sun.identity.saml2.profile.AuthnRequestInfoCopy
> coreTokenType: SAML2
> ```
## Session tokens
* Session tokens
The server-side session token is created in the CTS when a user authenticates to a realm configured for server-side sessions. This token allows a user to remain authenticated, even when the AM instance they authenticated to has been shut down.
* Session denylist tokens
The client-side session denylist token keeps a record of client-side sessions that were ended by logging out. This token is only created when [client-side sessions denylisting](../security/session-state-session-termination.html#session-state-configure-denylist) is enabled.
### LDAP attributes
| LDAP attribute | Server-side session token | Client-side session denylist token |
| ---------------------- | ------------------------- | ---------------------------------- |
| coreTokenUserId | *AM internal user DN* | |
| coreTokenType | `SESSION` | `SESSION_BLACKLIST` |
| coreTokenString01 | | *server id* |
| coreTokenString02 | | |
| coreTokenString03 | | |
| coreTokenString04 | | |
| coreTokenString05 | *session token* | |
| coreTokenString06 | *session handle* | |
| coreTokenString07 | | |
| coreTokenString08 | | |
| coreTokenString09 | | |
| coreTokenString10 | | |
| coreTokenString11 | *realm* | |
| coreTokenString12 | | |
| coreTokenString13 | | |
| coreTokenString14 | | |
| coreTokenString15 | | |
| coreTokenString16 | | |
| coreTokenMultiString01 | *listeners* | |
### Token examples
> **Collapse: Server-side session token**
>
> ```bash
> dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenString11: /myRealm
> coreTokenObject: {"clientDomain":"dc=example,dc=com","clientID":"id=amadmin,ou=user,dc=example,dc=com",
> "cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,
> "listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},
> "maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=example,dc=com","sessionServer":"am.example.com","sessionServerID":"01","sessionServerPort":"8443","sessionServerProtocol":"https","sessionServerURI":"/am"},"sessionProperties":{"Locale":"en","authInstant":"2024-08-08T15:21:03Z","Organization":"dc=example,dc=com","UserProfile":"Required","Principals":"amadmin","successURL":"/am/console","CharSet":"UTF8","Service":"ldapService","Host":"192.0.2.0","cookieSupport":"true","FullLoginURL":"/am/XUI/?realm=%2FmyRealm","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am/XUI","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=example,dc=com","amlbcookie":"01","HostName":"192.0.2.0","Principal":"id=amadmin,ou=user,dc=example,dc=com","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0}
> coreTokenInteger07: 30
> coreTokenString12: 1502229535517
> coreTokenInteger06: 120
> coreTokenString04: 1502229797863
> coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx*
> coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a
> coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenUserId: id=amadmin,ou=user,dc=example,dc=com
> coreTokenId: -8288022266790569769
> coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
> coreTokenType: SESSION
> ```
> **Collapse: Client-side denylist token**
>
> ```bash
> dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: top
> objectClass: frCoreToken
> coreTokenString01: 01
> coreTokenDate01: 20240808142103.155Z
> coreTokenExpirationDate:20240808152103.155Z
> coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34
> coreTokenType: SESSION_BLACKLIST
> ```
## Notification tokens
The notification token provides alerts for session changes, such as when the maximum session time is reached or there is an active logout. This notification system is used by Agents and PingGateway over WebSockets to receive notifications about these session changes.
### LDAP attributes
| LDAP attribute | Notification token |
| ----------------- | ------------------ |
| coreTokenUserId | |
| coreTokenType | `NOTIFICATION` |
| coreTokenString01 | |
| coreTokenString02 | |
| coreTokenString03 | |
| coreTokenString04 | |
| coreTokenString05 | |
| coreTokenString06 | |
| coreTokenString07 | |
| coreTokenString08 | |
| coreTokenString09 | |
| coreTokenString10 | |
| coreTokenString11 | |
| coreTokenString12 | |
| coreTokenString13 | |
| coreTokenString14 | |
| coreTokenString15 | |
| coreTokenString16 | |
### Token example
> **Collapse: Notification token**
>
> ```bash
> dn: coreTokenId=b66384d2-4792-8bb1-f59f-aa5cff6f2e6c-5460,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com
> objectClass: frCoreToken
> objectClass: top
> coreTokenExpirationDate: 20240808152103.155Z
> coreTokenId: b36284d2-f59f-4692-8bb1-aa5cff6f2e6c-5460
> coreTokenObject:: eJyLrlYqyS/ITFayUtJPTE/NK9EvTi0uzszPU9JRSs7PKwGKKFlVK0EFSzNTgAqTjM2MLExSjHTTTC3TdE3MLI10LZKSDHUTE02T09LM0oxSzZJ1TcxNDYBmpJYBTQipLEgF6vPxd/cPDVGqrY0FAOjbJRI=
> coreTokenType: NOTIFICATION
> ```