# Using user information in LIFF apps and servers

When a user launches the LIFF app in LINE's in-app browser or in an external browser and performs LINE Login, the LIFF app can get the user's profile (user ID, display name, profile image, and email address).

If your LIFF app doesn't properly handle this user information, it will be vulnerable to spoofing and other types of attacks.

This page describes how to securely use the information of the user who opened the LIFF app in the LIFF app or server.

# Use user information on server

To use the user information on the server, send the ID token or access token from the LIFF app to the server. The server can safely retrieve the user's profile by sending the token sent by the LIFF app to the LINE Platform.

Don't send user info to server

Don't send the details of the user profile obtained with liff.getDecodedIDToken() to the server from the LIFF app.

Tip

The LIFF SDK verifies ID tokens and access tokens obtained from the LINE Platform. You can trust the tokens obtained with liff.getIDToken() and liff.getAccessToken().

# Send user ID token to get user information

When you send the ID token obtained by liff.getIDToken() to the server, the server verifies the ID token and POST /oauth2/v2.1/verify can be used to securely used to get the user's profile information.

# Send access token to get user information

When you send the access token retrieved from liff.getAccessToken() to the server, the server will verify the validity of the token (GET /oauth2/v2.1/verify) and also verifies the channel ID and the expiration date of the access token so the server can securely get the user's profile information (GET /v2/profile).

# Use user information in LIFF app

Use the user's profile information obtained from liff.getDecodedIDToken().

Don't send user info to server

Don't send the details of the user profile obtained with liff.getDecodedIDToken() to the server from the LIFF app.