> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > Describes how to validate an ID token. # Validate ID Tokens An [ID token](/docs/secure/tokens/id-tokens), which contains user profile attributes, is consumed by an app and is typically used for user interface display. Auth0 issues all ID tokens in [JSON web token (JWT)](/docs/secure/tokens/json-web-tokens) format. If any of these checks fail, the token is considered invalid, and the request must be rejected. 1. [Validate the JWT](/docs/secure/tokens/json-web-tokens/validate-json-web-tokens). 2. Check additional standard claims. If you've performed the standard JWT validation, you have already decoded the [JWT's Payload](/docs/secure/tokens/json-web-tokens/json-web-token-structure) and looked at its standard claims. Additional claims to verify for ID tokens include: * **Token audience** (`aud`, string): The audience value for the token must match the client ID of the application as defined in your [Application's Settings](https://manage.auth0.com/#/applications) in the **Client ID** field. * **Nonce** (`nonce`, string): Passing a nonce in the token request is recommended (required for the Implicit Flow) to help prevent replay attacks. The nonce value in the token must exactly match the original nonce sent in the request. See [Mitigate Replay Attacks](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow) for details. ## Learn more * [Get ID Tokens](/docs/secure/tokens/id-tokens/get-id-tokens) * [ID Token Structure](/docs/secure/tokens/id-tokens/id-token-structure) * [Update ID Token Lifetime](/docs/secure/tokens/id-tokens/update-id-token-lifetime) * [Mitigate Replay Attacks When Using the Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow)