[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Concepts](../index.md) > [Authentication](index.md) > ID token

# Service account ID token

{% note info %}

Creating ID tokens for service accounts may be prohibited by [access policies](../access-control/access-policies.md) at the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../../organization/concepts/organization.md) level.

{% endnote %}

An [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) is a unique short-lived token issued for a [service account](../users/service-accounts.md) and enabling it to authenticate with external systems that support [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) authentication.

An ID token is generated by Yandex Cloud and used to get an access token in an external system. An ID token is valid for one hour. You cannot use an ID token for authentication when accessing the [Yandex Cloud API](../../../api-design-guide/index.md).

## ID token format {#token-format}

An ID token is a [JSON web token](https://en.wikipedia.org/wiki/JSON_Web_Token) (JWT) consisting of three parts separated by a dot, e.g., `<header>.<body>.<signature>`.

The ID token **header** includes the following attributes:

* `kid`: ID of the public signature key for token signature verification.
* `alg`: Signature algorithm.

The ID token **body** includes the following attributes:

* `iss`: URL of the Yandex Cloud OIDC provider, `https://auth.cloud.yandex.com`.
* `sub`: Service account [ID](../../operations/sa/get-id.md) provided in the `subject-id` parameter when creating the ID token.
* `aud`: Token target resource. Provide it in the `audience` parameter when creating the ID token. If left unspecified when creating the token, this value defaults to the service account ID from `subject-id`.
* `exp`: Token expiration time in [Unix Time](https://en.wikipedia.org/wiki/Unix_time) format. An ID token expires one hour after creation.
* `iat`: Token issue time in Unix Time format.
* `jti`: Unique ID token identifier that prevents the token reuse.

The **ID token signature** allows you to make sure the token has not been modified. To verify the signature, you need a public key. To [get](https://auth.yandex.cloud/oauth/jwks/keys) a public key in Yandex Cloud, use the ID from the `kid` field of the token header.

To [get](../../operations/sa/get-id-token.md) an ID token for a service account, use the [Yandex Cloud CLI](../../../cli/index.md).