{
  "$schema": "http://json-schema.org/draft-06/schema#",
  "title": "User Token Claim Schema",
  "description": "Defines the claims provided to autenticate a user with a JWT.",
  "type": "object",
  "additionalProperties": true,
  "oneOf": [
    {
      "required": [
        "user"
      ]
    },
    {
      "required": [
        "sub"
      ]
    }
  ],
  "properties": {
    "authentication": {
      "type": "string",
      "title": "Authentication",
      "description": "Users can either be authenticated or unauthenticated. Authenticated users have had their identity validated. Unauthenticated users have not proved their identity, can still take actions when enabled in SaaSquatch, but are tracked separately.",
      "default": "authenticated",
      "enum": [
        "authenticated",
        "unauthenticated"
      ]
    },
    "sub": {
      "type": "string",
      "title": "Subject",
      "description": "The user identity to be validated. Of the format: `{ACCOUNTID}:{USERID}@{TENANT}:users`"
    },
    "iss": {
      "type": "string",
      "title": "Issuer",
      "description": "The issuer of the token. When ommitted then the issuer must be a "
    },
    "user": {
      "type": "object",
      "title": "The User Subject",
      "description": "Identifies the user by identity.",
      "additionalProperties": true,
      "required": [
        "id",
        "accountId"
      ],
      "properties": {
        "id": {
          "type": "string",
          "title": "User ID"
        },
        "accountId": {
          "type": "string",
          "title": "Account ID"
        }
      }
    }
  }
}