docs: add Custom ID token docs and rename Custom token claims to Custom access token (#1359)

xiaoyijun · web-flow · commit cc666aa920da · 2026-02-10T15:37:16.000+08:00
diff --git a/docs/developers/README.mdx b/docs/developers/README.mdx
@@ -19,9 +19,18 @@ import Settings from '@site/docs/developers/assets/icons/gear.svg';
   items={[
     {
       type: 'link',
-      label: 'Custom token claims',
+      label: 'Custom access token',
       href: '/developers/custom-token-claims',
-      description: 'Expand the capabilities of access control by attaching additional claims, which can help achieve ABAC or reject token issuance.',
+      description: 'Use custom scripts to attach additional claims to access tokens, enabling ABAC or rejecting token issuance.',
+      customProps: {
+        icon: <JwtClaims />,
+      }
+    },
+    {
+      type: 'link',
+      label: 'Custom ID token',
+      href: '/developers/custom-id-token',
+      description: 'Control which extended claims are included in ID tokens, following the OIDC specification.',
       customProps: {
         icon: <JwtClaims />,
       }
diff --git a/docs/developers/audit-logs/README.mdx b/docs/developers/audit-logs/README.mdx
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 6
+sidebar_position: 7
 ---
 
 # Audit logs
diff --git a/docs/developers/custom-id-token/README.mdx b/docs/developers/custom-id-token/README.mdx
@@ -0,0 +1,81 @@
+---
+sidebar_position: 3
+---
+
+# Custom ID token
+
+## Introduction \{#introduction}
+
+[ID token](https://auth.wiki/id-token) is a special type of token defined by the [OpenID Connect (OIDC)](https://auth.wiki/openid-connect) protocol. It serves as an identity assertion issued by the authorization server (Logto) after a user successfully authenticates, carrying claims about the authenticated user's identity.
+
+Unlike [access tokens](/developers/custom-token-claims) which are used to access protected resources, ID tokens are specifically designed to convey authenticated user identity to client applications. They are [JSON Web Tokens (JWTs)](https://auth.wiki/jwt) that contain claims about the authentication event and the authenticated user.
+
+## How ID token claims work \{#how-id-token-claims-work}
+
+In Logto, ID token claims are divided into two categories:
+
+1. **Standard OIDC claims**: Defined by the OIDC specification, these claims are entirely determined by the scopes requested during authentication.
+2. **Extended claims**: Claims extended by Logto to carry additional identity information, controlled by a **dual-condition model** (Scope + Toggle).
+
+```mermaid
+flowchart TD
+    A[User authentication request] --> B{Requested scopes}
+    B --> C[Standard OIDC scopes]
+    B --> D[Extended scopes]
+    C --> E[Standard claims included in ID token]
+    D --> F{Console toggle enabled?}
+    F -->|Yes| G[Extended claims included in ID token]
+    F -->|No| H[Claims not included]
+```
+
+## Standard OIDC claims \{#standard-oidc-claims}
+
+Standard claims are completely governed by the OIDC specification. Their inclusion in the ID token depends solely on the scopes your application requests during authentication. Logto does not provide any option to disable or selectively exclude individual standard claims.
+
+The following table shows the mapping between standard scopes and their corresponding claims:
+
+| Scope     | Claims                                                                                                                                                                           |
+| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `openid`  | `sub`                                                                                                                                                                            |
+| `profile` | `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, `updated_at` |
+| `email`   | `email`, `email_verified`                                                                                                                                                        |
+| `phone`   | `phone_number`, `phone_number_verified`                                                                                                                                          |
+| `address` | `address`                                                                                                                                                                        |
+
+For example, if your application requests the `openid profile email` scopes, the ID token will include all claims from the `openid`, `profile`, and `email` scopes.
+
+## Extended claims \{#extended-claims}
+
+Beyond the standard OIDC claims, Logto extends additional claims that carry identity information specific to the Logto ecosystem. These extended claims follow a **dual-condition model** to be included in the ID token:
+
+1. **Scope condition**: The application must request the corresponding scope during authentication.
+2. **Console toggle**: The administrator must enable the claim's inclusion in the ID token through Logto Console.
+
+Both conditions must be satisfied simultaneously. The scope serves as the protocol-layer access declaration, while the toggle serves as the product-layer exposure control — their responsibilities are clear and non-substitutable.
+
+### Available extended scopes and claims \{#available-extended-scopes-and-claims}
+
+| Scope                                | Claims                         | Description                             | Included by default |
+| ------------------------------------ | ------------------------------ | --------------------------------------- | ------------------- |
+| `custom_data`                        | `custom_data`                  | Custom data stored on the user object   |                     |
+| `identities`                         | `identities`, `sso_identities` | User's linked social and SSO identities |                     |
+| `roles`                              | `roles`                        | User's assigned roles                   | ✅                  |
+| `urn:logto:scope:organizations`      | `organizations`                | User's organization IDs                 | ✅                  |
+| `urn:logto:scope:organizations`      | `organization_data`            | User's organization data                |                     |
+| `urn:logto:scope:organization_roles` | `organization_roles`           | User's organization role assignments    | ✅                  |
+
+### Configure in Logto Console \{#configure-in-logto-console}
+
+To enable extended claims in the ID token:
+
+1. Navigate to <CloudLink to="/customize-jwt">Console > Custom JWT</CloudLink>.
+2. Toggle on the claims you want to include in the ID token.
+3. Ensure your application requests the corresponding scopes during authentication.
+
+## Related resources \{#related-resources}
+
+<Url href="/developers/custom-token-claims">Custom access token</Url>
+
+<Url href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken">
+  OpenID Connect Core - ID Token
+</Url>
diff --git a/docs/developers/custom-token-claims/README.mdx b/docs/developers/custom-token-claims/README.mdx
@@ -2,9 +2,9 @@
 sidebar_position: 2
 ---
 
-# Custom token claims
+# Custom access token
 
-Logto provides the flexibility to add customize claims within access tokens (JWT / Opaque token). With this feature, you can include additional information for your business logic, all securely transmitted in the tokens and retrievable via introspection in the case of opaque tokens.
+Logto provides the flexibility to add custom claims within access tokens (JWT / Opaque token). With this feature, you can include additional information for your business logic, all securely transmitted in the tokens and retrievable via introspection in the case of opaque tokens.
 
 ## Introduction \{#introduction}
 
diff --git a/docs/developers/custom-token-claims/common-use-cases.mdx b/docs/developers/custom-token-claims/common-use-cases.mdx
@@ -7,7 +7,7 @@ sidebar_position: 2
 
 # Common use cases
 
-In this section, we will provide some examples to help you understand some scenarios where [custom token claims](/developers/custom-token-claims) can be useful, offering you some references. This way, when you encounter difficulties in access management, you can assess whether custom token claims can bring you convenience.
+In this section, we will provide some examples to help you understand some scenarios where [custom access token claims](/developers/custom-token-claims) can be useful, offering you some references. This way, when you encounter difficulties in access management, you can assess whether custom access token claims can bring you convenience.
 
 ## Make attribute-based access control (ABAC) possible \{#make-attribute-based-access-control-abac-possible}
 
diff --git a/docs/developers/custom-token-claims/create-script.mdx b/docs/developers/custom-token-claims/create-script.mdx
@@ -1,11 +1,11 @@
 ---
 id: create-script
-title: Create a custom token claims script
-sidebar_label: Create a custom token claims script
+title: Create a custom access token script
+sidebar_label: Create a custom access token script
 sidebar_position: 3
 ---
 
-# Create a custom token claims script
+# Create a custom access token script
 
 To [add custom claims](/developers/custom-token-claims) to the [access token](https://auth.wiki/access-token), you need to provide a script that returns an object containing those claims. The script should be written as a `JavaScript` function that returns an object with the custom claims.
 
diff --git a/docs/developers/sdk-conventions/README.mdx b/docs/developers/sdk-conventions/README.mdx
@@ -2,7 +2,7 @@
 id: sdk-conventions
 title: Platform SDK conventions
 sidebar_label: Platform SDK conventions
-sidebar_position: 7
+sidebar_position: 8
 ---
 
 # Platform SDK conventions
diff --git a/docs/developers/signing-keys.mdx b/docs/developers/signing-keys.mdx
@@ -2,7 +2,7 @@
 id: signing-keys
 title: Signing keys
 sidebar_label: Signing keys
-sidebar_position: 4
+sidebar_position: 5
 ---
 
 # Signing keys
diff --git a/docs/developers/user-impersonation.mdx b/docs/developers/user-impersonation.mdx
@@ -2,7 +2,7 @@
 id: user-impersonation
 title: User impersonation
 sidebar_label: User impersonation
-sidebar_position: 3
+sidebar_position: 4
 ---
 
 import TokenExchangePrerequisites from './fragments/_token-exchange-prerequisites.mdx';
diff --git a/docs/developers/webhooks/README.mdx b/docs/developers/webhooks/README.mdx
@@ -1,5 +1,5 @@
 ---
-sidebar_position: 5
+sidebar_position: 6
 ---
 
 # Webhooks
diff --git a/docs/introduction/README.mdx b/docs/introduction/README.mdx
@@ -143,6 +143,10 @@ Welcome to Logto documentation! Logto is an identity and access management (IAM)
       icon: <GearPlusIcon />,
       docId: 'developers/custom-token-claims/README',
     },
+    {
+      icon: <GearPlusIcon />,
+      docId: 'developers/custom-id-token/README',
+    },
     {
       icon: <ImpersonationIcon />,
       docId: 'developers/user-impersonation',
diff --git a/docs/quick-starts/fragments/_scope-claim-list.md b/docs/quick-starts/fragments/_scope-claim-list.md
diff --git a/docs/quick-starts/fragments/_scopes-and-claims.mdx b/docs/quick-starts/fragments/_scopes-and-claims.mdx
