OAUTH2 Tokens

Wink Login SDK provides app developer with standard OAUTH tokens ( Access Token, ID Token and Refresh Token ). These tokens have to be decrypted by the app developer to receive the needed information from the included claims and scopes.

The provided tokens are:

ID Token / Access Token

These tokens contains a tokenized version of the user profile. An example of the decrypted version of these tokens is shown in the box here.
Some of the useful claims in the token are:

  • Exp: expiry date and time
  • azp: ClientID of the host app
  • Sub: WinkToken for the Recognized user ( should be mapped to UUID of the user in the app developer system)
  • User Profile:
    o given_name = FirstName
    o family_name = LastName
    o phone_number = MobileNumber
    o email = email
    o preferred_username = WinkTag ( unique username of this user across the entire Wink ecosystem )

In order to use the Access Token and detokenize the user profile to clear values, see the API section titled Validating the Tokens

  "exp": 1690678380,
    "iat": 1690678080,
    "auth_time": 0,
    "jti": "87341fe0-78f3-4da5-90d9-9141b84d1660",
    "iss": "https://stagekeycloak.winklogin.com/realms/wink",
    "aud": [
    "sub": "df56a892-0240-4caf-b691-561384ff38ae",
    "typ": "ID",
    "azp": "stage-winkwallet",
    "nonce": "6db8035c-6649-4738-9e26-8a3a40fed918",
    "session_state": "b1b02c63-04f4-4f56-ab8b-28e08c4f2219",
    "at_hash": "jLGVkOgYhU2D6bM2nweIpQ",
    "acr": "0",
    "sid": "b1b02c63-04f4-4f56-ab8b-28e08c4f2219",
    "email_verified": true,
    "phone_number": "tok_sandbox_pxoz9Q1o5dbr8ZLhfvdhEV",
    "oid": "438f384f-5a72-424d-bf8d-fa706d5a2de0",
    "preferred_username": ";stage-deepak",
    "given_name": "tok_sandbox_mWjACm5tKWZZ6rvyf69hrf",
    "family_name": "tok_sandbox_7gYfSdgS7aiabfhBhoZdxM",
    "email": "tok_sandbox_uEiSusKi6bcwirXH4GPx7i"

Refresh Token

This token can be used to extend the expiry date of all 3 tokens by 5 min. This token (when decryoted) looks like the box here.

This token has an expiry period of 30 min and can be used to extend the expiry period of all tokens ( including the refresh token itself ) by 5 min but must be called while all the tokens are still valid.

  "exp": 1690679880,
    "iat": 1690678080,
    "jti": "64ad4e5e-1ccf-4ce4-b379-9ef43dd84251",
    "iss": "https://stagekeycloak.winklogin.com/realms/wink",
    "aud": "https://stagekeycloak.winklogin.com/realms/wink",
    "sub": "df56a892-0240-4caf-b691-561384ff38ae",
    "typ": "Refresh",
    "azp": "stage-winkwallet",
    "nonce": "6db8035c-6649-4738-9e26-8a3a40fed918",
    "session_state": "b1b02c63-04f4-4f56-ab8b-28e08c4f2219",
    "scope": "openid profile email",
    "sid": "b1b02c63-04f4-4f56-ab8b-28e08c4f2219”

Please see the Integrating Wink Login Section on how to use these tokens in your app

What’s Next

Now that you have understood how Wink Login SDK works, lets explore how easy it is to integrate Wink Login into your application Front End and Back End flows