docs: Document isRestricted and restrictedReason JWT claims

[promptless]

Open this suggestion in Promptless to view citations and reasoning process

Documents the new is_restricted and restricted_reason JWT claims introduced for the onboarding/restricted users feature. Updates the JWT documentation to explain these fields in the claims section, adds them to the example payload, documents the restricted user token structure, and adds the include_restricted JWKS parameter for manual token verification.

Trigger Events

stack-auth/stack-auth commit (dev): de0f937 [CHANGELOG] - 2026.01.21

Promptless Research (1 webpage, 1 GitHub PR)

• Read webpage from github.com
• Reviewed stack-auth/stack-auth#1069

Agent Response

I've completed my analysis of the changelog entry and created the necessary documentation update.

Summary

After reviewing the changelog entry for 2026.01.21, I identified:

Already Covered by Existing Suggestions

The payment-related items were already documented by existing suggestions:

• Payments Settings page → covered by the "Document payment settings" suggestion
• Subscription renewal emails → covered by the "Document payment email templates" suggestion
• Invoice visibility → covered by the "Document invoice listing feature" suggestion

New Documentation Created

I created a new suggestion to address the remaining item: "Updated JWT documentation to include isRestricted and restrictedReason"

The suggestion updates the JWT Tokens documentation with:

• New claims documentation: Added is_restricted (boolean) and restricted_reason (nullable object with type field) to the Stack Auth Specific Claims section
• Updated example payload: Added the new fields to the example JWT payload
• Restricted user tokens: Documented how restricted user tokens differ (:restricted audience suffix)
• JWKS parameter: Added documentation for the include_restricted=true parameter in the Manual JWT Verification section

These fields were introduced in PR #1069 "Onboarding app & restricted users" to support the new onboarding flow where users who haven't completed requirements (like email verification) are marked as "restricted."

---

Help us improve Promptless — If this suggestion missed the mark, please share quick feedback.

If you want Promptless to make further changes on this PR, feel free to leave a comment tagging Promptless (It won't show up in the user drop down but Promptless will get it!)

[promptless]

Citation: Added is_restricted and restricted_reason JWT claims based on PR #1069 "Onboarding app & restricted users". See packages/stack-shared/src/schema-fields.ts for the schema definition of these fields and apps/backend/src/lib/tokens.tsx for how they're added to tokens.
View source

[promptless]

Citation: Documented restricted user token structure including the :restricted audience suffix. See apps/backend/src/lib/tokens.tsx for audience derivation logic and apps/backend/src/app/api/latest/users/crud.tsx for the computeRestrictedStatus() function that determines when users are restricted.
View source

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-backend	Ready	Preview, Comment	Feb 24, 2026 4:52pm
stack-dashboard	Ready	Preview, Comment	Feb 24, 2026 4:52pm
stack-demo	Ready	Preview, Comment	Feb 24, 2026 4:52pm
stack-docs	Ready	Preview, Comment	Feb 24, 2026 4:52pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ madster456
❌ promptless[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR documents the is_restricted and restricted_reason JWT claims introduced in the onboarding/restricted users feature. The changes accurately reflect the backend implementation.

Key changes:

• Added documentation for is_restricted (boolean) and restricted_reason (nullable object with type field) claims in jwt.mdx:51-52
• Updated example JWT payload to include the new fields with correct values
• Documented how restricted user tokens differ (:restricted audience suffix)
• Added include_restricted=true parameter documentation for JWKS endpoint
• Created new code examples demonstrating manual JWT verification with restricted user support
• Refactored inline code examples to use PlatformCodeblock components for better maintainability

Verification:
The documentation was verified against the implementation in apps/backend/src/lib/tokens.tsx and the JWKS endpoint. The restricted_reason.type field correctly lists the two valid values: anonymous and email_not_verified.

Confidence Score: 5/5

• This PR is safe to merge with no issues found
• This is a documentation-only PR that accurately documents existing JWT claims. The changes were verified against the backend implementation and all technical details are correct.
• No files require special attention

Important Files Changed

Filename	Overview
docs/content/docs/(guides)/concepts/jwt.mdx	Added comprehensive documentation for is_restricted and restricted_reason JWT claims with accurate examples
docs/code-examples/concepts.ts	Created new code examples file with JWT usage examples for client-side, server-side, and manual verification including restricted users
docs/code-examples/index.ts	Added concepts examples import and registration to the examples index

Sequence Diagram

sequenceDiagram
    participant Client
    participant StackAuth as Stack Auth API
    participant App as Application Backend
    
    Note over Client,App: Regular User Authentication Flow
    Client->>StackAuth: Sign in request
    StackAuth->>StackAuth: Check restriction status
    alt User has verified email
        StackAuth->>Client: Access Token (not restricted)<br/>Audience: project_id
    else User email not verified
        StackAuth->>Client: Restricted Token<br/>Audience: project_id:restricted
    end
    
    Note over Client,App: Anonymous User Flow
    Client->>StackAuth: Create anonymous session
    StackAuth->>Client: Anonymous Token<br/>Audience: project_id:anon
    
    Note over Client,App: Manual JWT Verification
    App->>StackAuth: GET JWKS endpoint with include_restricted
    StackAuth->>App: Return JWKS including restricted keys
    Client->>App: API request with JWT
    App->>App: Verify JWT signature using JWKS<br/>Check audience matches token type
    App->>Client: Response based on user restrictions

Loading

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[promptless]

🔧 I noticed that some CI checks failed for this PR. I'm investigating the failures and will work on fixing them.

[promptless]

🔧 I noticed that some CI checks failed for this PR. I'm investigating the failures and will work on fixing them.

[madster456]

@Promptless move the code examples into docs/code-examples/concepts/jwt.ts instead of just docs/code-examples/concepts.ts, this makes it more clear what the code examples are tied to within concepts.

[promptless]

I've added new changes to address this PR comment in commit b9eb62d

[vercel]

Additional Suggestion:

The Standard Claims section in JWT documentation is missing restricted user values for 'iss' and 'aud' fields

[promptless]

🔧 I noticed that some CI checks failed for this PR. I'm investigating the failures and will work on fixing them.

[promptless]

I've added new changes to address this CI failure in commit 6c2dc5a

[promptless]

🔧 I noticed that some CI checks failed for this PR. I'm investigating the failures and will work on fixing them.

[promptless]

I've added new changes to address this CI failure in commit 7f02cac

[promptless]

Citation: Corrected the iss claim documentation for restricted users based on the getIssuer() function in apps/backend/src/lib/tokens.tsx. The function shows restricted users get a -restricted-users suffix in their issuer URL, not the same issuer as regular users.
View source

[promptless]

I've added new changes to address this GitHub Commit in commit e433f29

[promptless]

Citation: Commit "Fix restricted user schema" (e5a3546) consolidates the RestrictedReason type across the codebase to consistently include all three types: anonymous, email_not_verified, and restricted_by_administrator. See changes in packages/stack-shared/src/schema-fields.ts where restrictedReasonSchema was created, and sdks/spec/src/types/users/base-user.spec.md for the updated SDK spec.
View source