Access token fails validation

I’m evaluating if I can migrate my service to use auth0 for authentication. Right now I’m stuck at letting my API validate the access tokens. It fails with: “The Token’s Signature resulted invalid when verified using the Algorithm: SHA256withRSA”

I hope I write down all the relevant clues here:

I have one app with the auth domain: (uses RS256, haven’t changed advanced settings)
I have one custom api with the domain: (uses RS256 and can’t be changed)

I use the auth0 lock with relevant config:
new Auth0Lock(
‘the app client id’,
‘the app domain’,
auth: {
responseType: ‘token id_token’,
params: {
scope: ‘openid’
audience: ‘the api domain’

I get two JTW’s that can be viewed on

Backend is written in Scala so I use the java libs:

“com.auth0” % “java-jwt” % “3.4.1”,
“com.auth0” % “jwks-rsa” % “0.6.1”,

val token = "valid jwt"
  val provider = new JwkProviderBuilder("")
    .cached(10, 24, TimeUnit.HOURS)
    .rateLimited(50, 1, TimeUnit.MINUTES)

  val jwt = JWT.decode(token)
  val jwk = provider.get(jwt.getKeyId)
  val algo = Algorithm.RSA256(jwk.getPublicKey.asInstanceOf[RSAKey])

  algo.verify(jwt) // throws SignatureVerificationException

Can anyone spot the error? I’m not sure if the private key is supposed to be used somehow, but from what I could tell it’s only used when signing new tokens?

Hey there @durre, can you share the all libraries you are leveraging the backend? Seems like someone ran into a similar issue here. Any additional details you can give to better understand the challenge is appreciated. Thanks in advance!

Hi @James.Morrison!

You helped me find the error, sort of. :slight_smile: Long story short: One of my unit tests were designed to fail the verification. I mistook that error for the error that made my valid token fail, leading me down the wrong path.

As usual it’s an embarrassing mistake :slight_smile:

1 Like

I’m glad you were able to get it resolved. Be sure to swing back by if you have any additional questions in the future. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.