Why is my access token not a JWT? (Opaque Token)

Question: Why is my access token not a JWT? (Opaque Token)

Answer:

An access token will be issued in one of the following formats:

  • JSON Web Token (JWT) : Tokens that conform to the JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token. Access Tokens issued for the Auth0 Management API and Access Tokens issued for any custom API that you have registered with Auth0 will follow the JSON Web Token (JWT) standard, which means that their basic structure conforms to the typical JWT Structure, and they contain standard JWT Claims asserted about the token itself.

  • Opaque tokens : Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token. Opaque Access Tokens are tokens whose format you cannot access. Opaque Access Tokens issued by Auth0 can be used with the /userinfo endpoint to return a user’s profile.

How do I request a JWT?

In order to receive a JWT you must include an audience parameter with your token request. Typically, this would be an external API, like a custom API you have registered in the dashboard. See this doc for details:

Supporting Documentation:

Documentation: Access Tokens, Tokens

Video Tutorial

4 Likes