After completing the actions specified by the sign-on policy, the authentication flow completes and the user is redirected to the URL specified in the resumeUrl property in the flow resource.

You can use the GET /{envID}/as/resume?flowId={flowID} endpoint to obtain the access token. The Location HTTP header returned by the resume endpoint contains the token.

To verify that the custom claim is in the token, copy the token from the Location HTTP header and view it in the PingOne JWT decoder tool. Paste your access token into the JWT field and click Decode.