openid scope was requested). When the phone scope is granted, the ID token and userinfo response include phone_number and phone_number_verified. This must be done server-side — never expose your client secret in client-side code.
Request Body
Must be
authorization_codeThe authorization code received from the authorize endpoint callback
Must exactly match the
redirect_uri used in the authorization requestYour OAuth client ID
Your OAuth client secret
PKCE code verifier (required if
code_challenge was provided during authorization)Response Fields
ID Token Claims
Whenopenid scope is included, the ID token contains:
| Claim | Description |
|---|---|
iss | Issuer (e.g., https://dhmad.tn) |
sub | User ID |
aud | Your client ID |
exp | Expiration timestamp |
iat | Issued-at timestamp |
email | User’s email address |
email_verified | Whether the email is verified |
name | Full name |
given_name | First name |
family_name | Last name |
kyc_verified | Whether the user has approved KYC on DHMAD |
kyc_status | KYC status: "pending", "approved", "rejected", or null |