Use #parse(JsonFactory, String) to parse an ID token from a string. Then, use the
verify methods to verify the ID token as required by the specification.
Returns whether the Payload#getExpirationTimeSeconds is valid relative to the current
time, allowing for a clock skew as specified in step 5 of ID Token
Validation.
Returns whether the Payload#getIssuedAtTimeSeconds is valid relative to the current
time, allowing for a clock skew as specified in step 6 of ID Token
Validation.
Returns whether the issuer in the payload matches the given expected issuer as specified in
step 1 of ID Token
Validation. When an issuer is migrating to a new issuer string the expected issuer has
multiple aliases, so multiple are permitted here.
Returns whether the Payload#getExpirationTimeSeconds and Payload#getIssuedAtTimeSeconds are valid relative to the current time, allowing for a clock
skew as specified in steps 5 and 6 of ID Token
Validation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Class IdToken (1.39.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.39.0 (latest)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdToken)\n- [1.38.2](/java/docs/reference/google-oauth-client/1.38.2/com.google.api.client.auth.openidconnect.IdToken)\n- [1.37.0](/java/docs/reference/google-oauth-client/1.37.0/com.google.api.client.auth.openidconnect.IdToken)\n- [1.36.0](/java/docs/reference/google-oauth-client/1.36.0/com.google.api.client.auth.openidconnect.IdToken)\n- [1.34.1](/java/docs/reference/google-oauth-client/1.34.1/com.google.api.client.auth.openidconnect.IdToken)\n- [1.33.3](/java/docs/reference/google-oauth-client/1.33.3/com.google.api.client.auth.openidconnect.IdToken)\n- [1.32.1](/java/docs/reference/google-oauth-client/1.32.1/com.google.api.client.auth.openidconnect.IdToken) \n\n public class IdToken extends JsonWebSignature\n\nBeta \n\nID token as described in [ID Token](http://openid.net/specs/openid-connect-basic-1_0-27.html#id_token).\n\nUse [#parse(JsonFactory, String)](/java/docs/reference/google-oauth-client/latest/com.google.api.client.auth.openidconnect.IdToken#com_google_api_client_auth_openidconnect_IdToken_parse_com_google_api_client_json_JsonFactory_java_lang_String_) to parse an ID token from a string. Then, use the\n`verify` methods to verify the ID token as required by the specification.\n\nImplementation is not thread-safe. \n\nInheritance\n-----------\n\n[java.lang.Object](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html) \\\u003e [JsonWebToken](https://cloud.google.com/java/docs/reference/google-http-client/latest/com.google.api.client.json.webtoken.JsonWebToken.html) \\\u003e com.google.api.client.json.webtoken.JsonWebSignature \\\u003e IdToken \n\nInherited Members\n-----------------\n\ncom.google.api.client.json.webtoken.JsonWebSignature.getHeader() \ncom.google.api.client.json.webtoken.JsonWebSignature.getSignatureBytes() \ncom.google.api.client.json.webtoken.JsonWebSignature.getSignedContentBytes() \ncom.google.api.client.json.webtoken.JsonWebSignature.parse(com.google.api.client.json.JsonFactory,java.lang.String) \ncom.google.api.client.json.webtoken.JsonWebSignature.parser(com.google.api.client.json.JsonFactory) \ncom.google.api.client.json.webtoken.JsonWebSignature.signUsingRsaSha256(java.security.PrivateKey,com.google.api.client.json.JsonFactory,com.google.api.client.json.webtoken.JsonWebSignature.Header,com.google.api.client.json.webtoken.JsonWebToken.Payload) \ncom.google.api.client.json.webtoken.JsonWebSignature.verifySignature() \ncom.google.api.client.json.webtoken.JsonWebSignature.verifySignature(java.security.PublicKey) \ncom.google.api.client.json.webtoken.JsonWebSignature.verifySignature(javax.net.ssl.X509TrustManager) \ncom.google.api.client.json.webtoken.JsonWebToken.getPayload() \ncom.google.api.client.json.webtoken.JsonWebToken.toString() \n[Object.clone()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#clone--) \n[Object.equals(Object)](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#equals-java.lang.Object-) \n[Object.finalize()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#finalize--) \n[Object.getClass()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#getClass--) \n[Object.hashCode()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#hashCode--) \n[Object.notify()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#notify--) \n[Object.notifyAll()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#notifyAll--) \n[Object.wait()](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#wait--) \n[Object.wait(long)](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#wait-long-) \n[Object.wait(long,int)](https://docs.oracle.com/javase/8/docs/api/java/lang/Object.html#wait-long-int-)\n\nStatic Methods\n--------------\n\n### parse(JsonFactory jsonFactory, String idTokenString)\n\n public static IdToken parse(JsonFactory jsonFactory, String idTokenString)\n\nParses the given ID token string and returns the parsed ID token.\n\nConstructors\n------------\n\n### IdToken(JsonWebSignature.Header header, IdToken.Payload payload, byte\\[\\] signatureBytes, byte\\[\\] signedContentBytes)\n\n public IdToken(JsonWebSignature.Header header, IdToken.Payload payload, byte[] signatureBytes, byte[] signedContentBytes)\n\nMethods\n-------\n\n### getPayload()\n\n public IdToken.Payload getPayload()\n\n**Overrides** \ncom.google.api.client.json.webtoken.JsonWebToken.getPayload()\n\n### verifyAudience(Collection\\\u003cString\\\u003e trustedClientIds)\n\n public final boolean verifyAudience(Collection\u003cString\u003e trustedClientIds)\n\nReturns whether the audience in the payload contains only client IDs that are trusted as\nspecified in step 2 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation).\n\n### verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\n public final boolean verifyExpirationTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\nReturns whether the Payload#getExpirationTimeSeconds is valid relative to the current\ntime, allowing for a clock skew as specified in step 5 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation).\n\n### verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\n public final boolean verifyIssuedAtTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\nReturns whether the Payload#getIssuedAtTimeSeconds is valid relative to the current\ntime, allowing for a clock skew as specified in step 6 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation).\n\n### verifyIssuer(String expectedIssuer)\n\n public final boolean verifyIssuer(String expectedIssuer)\n\nReturns whether the issuer in the payload matches the given expected issuer as specified in\nstep 1 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation).\n\n### verifyIssuer(Collection\\\u003cString\\\u003e expectedIssuer)\n\n public final boolean verifyIssuer(Collection\u003cString\u003e expectedIssuer)\n\nReturns whether the issuer in the payload matches the given expected issuer as specified in\nstep 1 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation). When an issuer is migrating to a new issuer string the expected issuer has\nmultiple aliases, so multiple are permitted here.\n\n### verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\n public final boolean verifyTime(long currentTimeMillis, long acceptableTimeSkewSeconds)\n\nReturns whether the Payload#getExpirationTimeSeconds and Payload#getIssuedAtTimeSeconds are valid relative to the current time, allowing for a clock\nskew as specified in steps 5 and 6 of [ID Token\nValidation](http://openid.net/specs/openid-connect-basic-1_0-27.html#id.token.validation)."]]
