The JWT specification defines registered claims and also allows for public and private claims to be included in the token. The seven optional, registered claims are:

  • iss
  • sub
  • aud
  • exp
  • nbf
  • iat
  • jti

When you configure private claims for your organization, make sure you avoid name collisions because private claim names are not registered.


When a user signs on with OpenID Connect (OIDC), the Policy Editor uses the JWT sub claim in the user profile as the default OIDC user ID. Changes committed by policy editors are recorded under this user ID. If your organization wants to record changes under the email address instead, you can define a different claim, such as email, for the OIDC user ID.

To define this claim:

  1. Make a copy of the default options file.
    $ cp config/options.yml my-options.yml
  2. In the core section of the new options file, uncomment the example Authentication.oidcUserIdField field that uses the email claim.
    # Use a JWT claim other than "sub" for the OIDC User ID. 
    # Authentication.oidcUserIdField: jwt_claim
    Authentication.oidcUserIdField: "email"
  3. Stop the Policy Editor.
    $ bin/stop-server
  4. Run setup using the --optionsFile argument and customize all other options as appropriate for your needs.
    $ bin/setup demo \
      --adminUsername admin \
      --generateSelfSignedCertificate \
      --decisionPointSharedSecret pingauthorize \
      --hostname <pap-hostname> \
      --port <pap-port> \
      --adminPort <admin-port> \
      --licenseKeyFile <path-to-license> \
      --optionsFile my-options.yml
  5. Start the Policy Editor.
    $ bin/start-server
  6. To verify that your claim is used, commit a policy change in the Policy Editor at Branch Manager > Version Control and ensure that your claim appears in the Creator column.