Action Token SPI

Edit this sectionReport an issue

An action token is a special instance of Json Web Token (JWT) that permits its bearer to
perform some actions, e. g. to reset a password or validate e-mail address. They are usually sent
to users in form of a link that points to an endpoint processing action tokens for a particular
realm.

Keycloak offers four basic token types allowing the bearer to:

 Reset credentials
 Confirm e-mail address
 Execute required action(s)
 Confirm linking of an account with account in external identity provider

In addition to that, it is possible to implement any functionality that initiates or modifies

authentication session using action token SPI, details of which are described in the text below.

Anatomy of Action Token

Action token is a standard Json Web Token signed with active realm key where the payload
contains several fields:

 typ - Identification of the action (e.g. verify-email)

 iat and exp - Times of token validity
 sub - ID of the user
 azp - Client name
 iss - Issuer - URL of the issuing realm
 aud - Audience - list containing URL of the issuing realm
 asid - ID of the authentication session (optional)
 nonce - Random nonce to guarantee uniqueness of use if the operation can only be
executed once (optional)