Last Updated: Jul 26, 2024
Overview
This article clarifies why the access token is not a JWT (Opaque Token).
Applies To
- Access Token
Solution
Please check out the video and the information below:
An access token will be issued in one of the following formats:
- JSON Web Token (JWT):
Tokens that conform to the JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token. Access Tokens issued for the Auth0 Management API and Access Tokens issued for any custom API that were registered with Auth0 will follow the JSON Web Token (JWT) standard, which means that their basic structure conforms to the typical JWT Structure, and they contain standard JWT Claims asserted about the token itself. - Opaque tokens:
Tokens in a proprietary format typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token. Opaque Access Tokens are tokens whose format cannot be accessed. Opaque Access Tokens issued by Auth0 can be used with the/userinfo
endpoint to return a user’s profile.
How to request a JWT
To receive a JWT, the token request must include an audience parameter. Typically, this would be an external API, like a registered custom API in the dashboard.