Skip to content

OpenID Connect

The Ultimaker Account supports the OpenID Connect (OIDC) specification. OIDC describes a way to offer authentication and SSO functionality on top of OAuth2. We support the core and discovery specifications outlined at the OpenID website.


The following URLs are needed for configuring OpenID Connect client applications:

  • Issuer root URL:
  • Authorization endpoint: /authorize
  • Token endpoint: /token
  • Token endpoint authentication type: Basic auth
  • Discovery (metadata) endpoint: /.well-known/openid-configuration
  • JWKS endpoint: /.well-known/jwks
  • Client ID: Provided by Ultimaker
  • Client secret: Provided by Ultimaker

ID token

To obtain an ID token for a user, follow the OAuth2 flow and make sure that you request the openid scope. At the end of the flow, the bearer token response will contain the token in a field called id_token.

    "token_type": "bearer",
    "access_token": "YOUR_JWT_ACCESS_TOKEN",
    "refresh_token": "YOUR_REFRESH_TOKEN",
    "expires_in": 600,
    "scope": "SOME SCOPES",
    "id_token": "YOUR_JWT_ID_TOKEN"

This token can be decoded with the public key available at the JWKS endpoint.


The user info endpoint is currently not supported, please use the ID token for user information.

Additional claims

We support the following additional claims:

  • customer_type: The type of customer (regular, enterprise or education).


All required claims are also supported.