What do Unity Authentication JWT claims (idd, sign_in_provider) mean, and can I use the accessToken with my backend? – Unity Support Help Center

Overview:

Unity Authentication JWTs (accessToken) include standard claims (iss, exp, sub) and Unity‑specific claims (idd, envName, envId, upid, project_id, sign_in_provider). The idd claim is the project’s ID Domain ID, and player IDs (sub) are unique only within that domain. You can use the accessToken with your own backend if you validate it properly (signature, issuer, audience, expiry) and then issue your own backend session token.

Symptoms:

Uncertainty about Unity‑specific JWT claims (idd, envName, envId, upid, project_id, sign_in_provider).
Questions about whether sub (player ID) is globally unique or scoped.
Unsure whether the Unity Authentication accessToken can be used to authenticate with a self‑hosted backend.

Cause:

Unity‑specific claims used for scoping/context aren’t fully described in public docs.
Unity uses “ID Domains” to scope player identity:
- idd = project‑specific ID Domain ID (UUID).
- sub = player ID, unique only within the project’s ID Domain (not globally).
Environment/project context appears in claims (envName, envId, upid, project_id).
sign_in_provider indicates which identity provider was used.

Resolution:

Claim meanings and scope
- idd: ID Domain ID — 1:1 with Unity projects. All environments (dev, prod, test) for a given project share the same idd.
- sub: Player ID — unique only within that project’s ID Domain.
- envName / envId: Environment name and ID (for example, dev, prod).
- upid / project_id: Unity Project ID.
- sign_in_provider: Common values include:
  - anonymous, usernamepassword, unity, google.com, apple.com, facebook.com
  - apple-game-center, google-play-games, steampowered.com, oculus
  - nintendoswitch, xbox, playstation / playstation4 / playstation5
  - custom, code-link, oidc-<provider_name> (Console flows are not self‑serve and may require NDA.)
Using the accessToken with your backend
- Supported for custom backends: validate signature via JWKS and check iss, aud, exp, nbf.
- After validation, extract needed claims (sub, idd, envId, project_id) and issue your own backend session token for subsequent requests.

More Information:

Token validation guidance: https://services.docs.unity.com/docs/client-auth/#validate-the-token-id
JWKS (Unity Authentication): https://player-auth.services.api.unity.com/.well-known/jwks.json
Player Auth API (Get Player): https://services.docs.unity.com/player-auth/v1/index.html#tag/Player-Authentication/operation/GetPlayer
Platform-specific Authentication APIs: https://services.docs.unity.com/docs/client-auth/#platform-specific-authentication-apis
Keywords: Unity Authentication, accessToken, JWT claims, idd, ID Domain, sub uniqueness, sign_in_provider, JWKS validation, backend authentication.

Related to

Related articles