Why Access Token Is Not a JWT (Opaque Token)

Knowledge Articles

community September 17, 2019, 7:57pm 1

Last Updated: Jul 26, 2024

Overview

This article clarifies why the access token is not a JWT (Opaque Token).

Applies To

Access Token

Solution

Please check out the video and the information below:

An access token will be issued in one of the following formats:

JSON Web Token (JWT):
Tokens that conform to the JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token. Access Tokens issued for the Auth0 Management API and Access Tokens issued for any custom API that were registered with Auth0 will follow the JSON Web Token (JWT) standard, which means that their basic structure conforms to the typical JWT Structure, and they contain standard JWT Claims asserted about the token itself.
Opaque tokens:
Tokens in a proprietary format typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token. Opaque Access Tokens are tokens whose format cannot be accessed. Opaque Access Tokens issued by Auth0 can be used with the /userinfo endpoint to return a user’s profile.

How to request a JWT

To receive a JWT, the token request must include an audience parameter. Typically, this would be an external API, like a registered custom API in the dashboard.

Related References

4 Likes

Access token is not JWT format

Wrong token upon getTokenSilently()

Easy way to put user role in JWT

Invoking an API from a SPA with getTokenWithPopup/getTokenSilently -- is there a better way to do this?

Can I authenticate a session in a NodeJS serverless function when I'm using Auth0 Passwordless on my front end?

Get jwt access token using react-sdk (getAccessTokenSilently)

Auth0 access token missing returns only opaque

Audience yes, no, why?

Trying to validate Access token with Auth0 PHP, but I get The JWT string must contain two dots

How to verify a if access token

Angular and .NET 6 integrated

What is your best practice guidance for a Rails API - use an opaque or JWT-based access token?

How to get access token with HMAC algorithm?

How to use opaque token in Flask Backend?

How to get bearer token from auth0 instance? [Javascript]

Auth0 Architecture and setup for React / Spring Boot

Passwordless Flow initiated via API returns "short" token and does not play well on nextjs-auth0

Latest Angular with a .net 5 back end api

Resource Owner Password Flow - Rules are not executed

Validate Bearer access_token from Device Authorization flow

Auth0-php regular web app + API

What does 'JWT must have 3 parts' mean?

Zapier Integration

What is the Audience

Understanding RS256 Tokens

Auth0 token not RS256

The JWT string must contain two dots

Broken access_token when calling from .net

Issue with Decoding Access Token when passing from NextJS to Flask

Next.js API Routes RBAC

Converting from ID Token to Access Token in "Single-Page App"

Auth0 JWT Malformed, also token is A256GCM

Expo Implementation. Invalid access_token

Missing a alg header

My api is throwing 401 unauthorized when I log in

Custom Claims added to accessToken not being returned from /userinfo

Access_token too short ~ jwt malformed

ASP Core 7 : Examples on how to consume opaque access tokens in pair with JWT?

Error calling my external API

BadRequestError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)

Payload in access token is empty after google sing in by Auth0

JWT token is "invalid signature"?

JWT Missing Payload

Decode JWE's access token

WSAM - KrakenD API

Passwordless Magic Link Missing Payload Section

Next.js invalid token using middleware, which token to use?

Access token giving unauthorized in backend

Confusion on /userinfo vs. /api/v2/users/{id} apis

Setup OIDC Server to use with Plaid Core Exchange

Access token payload is empty. i want the user permissions and roles to show in payload fields

Auth Token via Postman has no payload

Verifying token in Azure API Management (APIM)

JWT and JWE tokens

Why is my access token an invalid format?

Authorizacion Code Flow React in React with Spring Boot Backend

JWT Validation Fails with "Invalid number of parts: Expected 3 parts; got 5" Error Message

Receiving JWT access token with one auth0 account, non-JWT token with other. Same code

Identity token does not include scopes when using authorization code flow

Auth0-angular access tokens are not JWTs

Authentication with SPA and API

Access_token or id_token

Auth0.js V9 returns invalid token altrough user info are parsed correctly

Make Request to Auth0 api from react native app

How can I test and debug access tokens / ID tokens?

Google cloud functions - auth0

Easy way to put user role in JWT

Custom Claims not being added for expo requests

Failed Silent auth (Chrome v80)

React Native passwordless without WebAuth

September Community News 2019

Access token empty on successful login