The

sub

key in the

/userinfo

endpoint is a standard claim in OpenID Connect (OIDC) and represents the subject identifier, which is a unique identifier for the user. It's not recommended or standard practice to remove or override this key as it's crucial for identifying the user. However, if you want to add custom claims to the userinfo response, you can do so by including information in

session.id_token

when accepting the consent request. Here's an example of how to do this using the Ory SDK:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(    new Configuration({    basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,    accessToken: process.env.ORY_API_KEY,    }),   )      export async function acceptConsent(consentChallenge: string) {    const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })       return await ory    .acceptOAuth2ConsentRequest({    consentChallenge: consentChallenge,    acceptOAuth2ConsentRequest: {    session: {    access_token: {    some_custom_claim: "some_custom_value",    },    id_token: {    id_custom_claim: "some_value",    },    },    },    })    .then(({ data }) => data)   }

In this example,

some_custom_claim

and

id_custom_claim

are custom claims added to the userinfo response. Be aware that the

/userinfo

endpoint is publicly available, so don't expose sensitive information without user consent. For more details, refer to the [Ory documentation on adding custom claims to the userinfo response](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response).

@chilly-king-10285 My current sub key contains private information that shouldn't be leaked outside of my infrastructure. However, I need the private sub value to be returned by the admin oauth2 introspect endpoint, but not the userinfo endpoint. How to achieve that using Ory Hydra?

New message text here