/userinfo

Return the profile-backed claim set for an access token.

Endpoint

• Methods: GET or POST
• URL: https://sso.user.m7.org/userinfo
• Response: JSON

Authentication

Recommended request shape:

• Authorization: Bearer <ACCESS_TOKEN>
• client_id=<CLIENT_ID>

Optional proof context:

• DPoP header
• fingerprint

Required input

• access token
• client_id

Important current behavior:

• the access token must belong to the same client_id

Example

curl -sS 'https://sso.user.m7.org/userinfo?client_id=CLIENT_ID' \
  -H 'Authorization: Bearer ACCESS_TOKEN'

Example with DPoP:

curl -sS 'https://sso.user.m7.org/userinfo?client_id=CLIENT_ID' \
  -H 'Authorization: Bearer ACCESS_TOKEN' \
  -H 'DPoP: DPOP_PROOF'

Example response

{
  "sub": "USER_OR_SUBJECT_ID",
  "uid": "USER_OR_SUBJECT_ID",
  "name": "Display Name",
  "preferred_username": "Display Name",
  "picture": "https://files.m7.org/path/to/avatar.jpg",
  "display_name": "Display Name",
  "avatar": "https://files.m7.org/path/to/avatar.jpg",
  "locale": "en-US",
  "timezone": "UTC"
}

Current responses may also include profile fields such as:

• bio
• pronouns
• website
• social
• settings
• system
• created
• updated

Common errors

• invalid_request
• invalid_token
• insufficient_scope
• server_error

Notes

• client_id is currently required on this endpoint.
• If the token is bound to DPoP or other proof context, send matching proof information with the request.