"Authentication tokens exist to answer one question: is this caller authorized to do this? They are not intended to be a stable data interface, a schema you can depend on, or an input into application logic. If your application decodes tokens and reads claims from them, this is an important heads-up."
"Although tokens may appear readable today, that was never a promise. We have never publicly documented token contents, and as a result, we have always reserved the right to change token claims at any point, for any reason. Claims may change, become optional, be renamed, be removed, or stop being readable altogether."
"Tokens should be used only for validation and authorization. After validating a token, your application should rely on supported Azure DevOps REST APIs to retrieve user or organization data. Those APIs provide stable contracts, documentation, and clear expectations around change. Token claims do not."
Authentication tokens exist solely to verify caller authorization, not to provide stable data interfaces or application logic inputs. Token claims were never guaranteed and have always been subject to change without notice. Azure DevOps will further encrypt authentication tokens this summer, making payloads unreadable to clients. Applications decoding tokens to extract claims will break, while those treating tokens as opaque will remain unaffected. Instead of relying on decoded token contents, applications should use supported REST APIs to retrieve user and organization data, which provide stable contracts and clear documentation. Token claims should never be treated as a reliable data source.
Read at Azure DevOps Blog
Unable to calculate read time
Collection
[
|
...
]