Auth0 Home Blog Docs

Access_token too short - audience is correct



Hi I have been using the new version 9.2.2 for about a two weeks, everything was working perfectly. Yesterday however I created a new user logged in everything was fine, then all of a sudden I started getting unauthorized results back from my server. I investigated and found that my the access_token was way to short about the size of a regular guid. I logged out and back in and everything was ok again but this has me quite concerned. What caused the short access token to be returned?

Each time I refreshed the page auth0.js also said that I was authenticated even with this short access token. This should not be happing, also worrying that it’s not easy to reproduce? I have definitely got my audience set so I should be getting back a JWT every single time with no exceptions but now twice in a month I have received an opaque token instead of a JWT.


It’s possible that you are using a deprecated endpoint, but we’d need to see the requests to be sure.

Would you be able to share the code you’re using along with a HAR file (please remove any sensitive details such as passwords) so we can have a closer look at what’s going on?

Please upload both to a cloud storage service (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only email addresses using

Thanks in advance.


Thanks Richard,

I will try, the problem is that this does not happen very often, its only happened 2wice in the last Month. I am busy doing dev against the API so logging in a couple of times every day. Also worth noting is that is only seems to have started when I upgraded to auth0.min.js v9.2.2. I hear you point about the end point possibly being incorrect however, it work 99.9% of the time. But There def seems to be some edge case that is causing the Opaque token to be returned and not the JWT. I will try to get the HAR but I cannot predict when its going to do this again.