Access Token always returns encrypted ID Token (alg: dir), even with correct audience and settings

Get Help
,
1

I am using Auth0 with a React SPA + Rails API setup.
I want to retrieve an RS256-signed Access Token using getAccessTokenSilently() from the SPA.

I have already checked and configured the following:

  • OIDC Conformant is enabled for the SPA application in Auth0
  • The API uses RS256 and has encryption disabled
  • Audience (https://my_backend_tk.com) is correctly specified
  • Callback URLs and Web Origins are properly set
  • I even created a new API and a new Auth0 Application from scratch

However, getAccessTokenSilently() still returns an encrypted token like this:

{
  "alg": "dir",
  "enc": "A256GCM"
}

This seems like a misconfiguration or bug.
Tenant name: dev-id5xx82j7py05t5w

Please help. I’m stuck.

3

Hi @daichitk1

Welcome to the Auth0 Community!

Thank you for posting your question. Can you double-check if you are properly adding the audience parameter to the request?

 const accessToken = await getAccessTokenSilently({
          authorizationParams: {
            audience: "API_IDENTIFIER"
          }

You can read more about audience here → Value of the Audience Attribute in Access Token Requests and its Significance

Thanks
Dawid