Access token suddenly stopped containing the `kid` header

Our Authorisation just started failing when trying to verify users internally in the system.

We’ve been logging in via an SPA application to get an access token. We’ve then been using the header of that request to get the “kid” which we’ve been using to decode the token internally within our backend.
Today the access token stopped containing the kid header which means that we can no longer decode it.

We’ve not made any changes to our Auth0 configuration lately and this started failing simultaneously on all of our environments.

Has the Auth0 login process changed somehow that means that the access tokens are generated in a different way?

Hi there @emilhansen and welcome to the community!

Have you been able to make any progress on this?

I am not aware of any changes on Auth0’s end that would cause this - The only time I’ve seen an Access Token that doesn’t contain the kid header is if the access token was signed using HS256 as opposed to RS256. The reason being that the client secret is used in lieu of the kid in the context of HS256.

Let us know!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.