Access tokens should always be used to call your APIs, as explained here. For you to be able to use the access token to access an API, it needs to have the proper audience, scope (depends on the case) and issuer. It must not be expired and the signature has to be valid. The access token verification process is explained in this document in greater detail.
If you’re getting an
Unauthorized error message there are several aspects that you can check by inspecting the token through a tool like jwt.io:
- Verify that the token has the proper audience by looking at the
aud claim. It has to be the API identifier that you set through the Dashboard and that you are using in your validation code on the API.
- Verify that the issuer is the same Auth0 domain (with a
https:// prefix and a
/ suffix) that you’ve configured in the validation code that you’re using in your API by inspecting the
- If you’re using RS256 tokens, verify that you’re getting the proper keys from the
jwks endpoint (
https://YOUR_DOMAIN.REGION.auth0.com/.well-known/jwks.json ). Depending on how are you validating the token, you should verify that the Auth0 Domain that you’re using is correct since you may be using a special package or library that only requires you to configure this.
- If you’re protecting some routes with specific scopes, verify that those are included in the
scope claim of the access token.
- Confirm that the token is not expired. You might be setting an expiration time that’s too low in the API settings on the Dashboard. If this is the case, you might get a
Token Expired error instead of an
If after reviewing all of these aspects you still get the same error message, can you please provide the code you’re using to configure the SPA and the API? (Please remove any information that might be private or use some test credentials that you can modify later).