Access_token too short ~ jwt malformed

Hi, I have a React app that built using your sample code that talks to a secure api running express and the React app returns a access_token but it’s too short, e.g.:

Authorization: Bearer O0PDdG2DjHQLLxOQYiPBT5qCbKtItgW3

Now I give this to my Express Server to decode with JWT (using your example):

var jwtCheck = jwt({
  secret: jwks.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 15,
      jwksUri: ""
  audience: '',
  issuer: "",
  algorithms: 'RS256']

Here’s the React Auth0 credentials:

export default class Auth {
  requestedScopes = 'openid profile read:messages write:messages';

  auth0 = new auth0.WebAuth({
    domain: '',
    clientID: '543534543535353453354',
    redirectUri: 'http://localhost:3000/callback',
    audience: '',
    responseType: 'token id_token',
    scope: this.requestedScopes

Any ideas where I’m going wrong?

Every time I give the access_token to JWT it tells me the JWT request is malformed.

Been at this for 2 days, any help greatly appreciated :frowning:

1 Like

I have the same problem. But the idToken works

1 Like

It might be possible that your access_token is not a JWT instead it is a string.
You can ask for a JWT token by setting appropriate audience.
Here are some helpful links -

1- [Validate Access Tokens]

2- []

Hope this helps!


There are two sections to look into in this flow, the SPA and the API. When you make a request to the /authorize endpoint and you use an audience like with a response_type='token id_token' you’re asking Auth0 to provide you with an access_token that will have the /userinfo audience and with an id_token that has some information about the user.

When you use as an audience parameter, you get a short access token (like the one you received) that is not designed to call your own API, as @priya.sharma.9362 said. It’s only meant to be used to call Auth0’s userinfo endpoint. If you want an access_token that can be verified and consumed by your API you need to do the following:

  • Create an API in Auth0 as explained in this document. The API identifier will be audience that we will use later. It’s highly recommended that you use RS256 as a signing algorithm
  • Use the identifier of the API you created as the audience parameter in the request to /authorize either manually or through auth0.WebAuth({}). Use response_type='token id_token to get both an access and an id token back.
  • Verify that you get back an access_token with the proper audience. You can use to inspect it.
  • Make a request to your API with this access_token as part of the Authorization header ( Authorization: Bearer <access_token> )
  • Verify your access_token in your API. This process is explained in this document in greater detail. In particular, you should verify the audience ( aud claim), the issuer ( iss ), the algorithm should be RS256 and you should use to get the proper keys. You may also need to check the scopes depending on your use case.

This is helpful @anny thanks, but I still need help.
I have a single page app, I do this:

  1. auth0.WebAuth.authorize(…)
  2. I receive a short access_token and a token_id, like you said.
  3. I pass access_token to webAuth.client.userInfo to get the userId.
  4. Now I want my backend (express/mongodb) to operate on this userId.
  5. For example, my backend has an /api/createProject endpoint, I want a user to request. Am I supposed to send the userId and short access_token with this request to my backend? If yes, how will my backend validate that the short access_token is valid and handle the request?

@anny So, if someone has the acces token that’s a string (not a JWT), here are some simple yes/no questions, supposing when does a call to /authorize and an audience (and default response types), and using RS256:

  1. one can a call the /userinfo endpoint?
  2. that call returns a result if the access token is set as Bearer in the Authorization header
  3. if the call returns the user info, can I assume that it means that the user is authenticated properly? (So, instead of validating a JWT, on could do a call to /userinfo to validate the access token and get some claims about the user (like email etc)?) If you’d like to authorize APIs with access tokens, you have to create an API in Auth0 and request this API’s access with the audience parameter when you’re authenticating. This will give you a JWT access token that you can send to the API, and the API can validate the JWT.
I won’t go into more detail, but there are a lot of docs that explain the process:

  1. Single-Page Applications (SPA) with API

If you come across any specific problems, feel free to create a new discussion.

@kurt.sys It’s yes for all the questions. If you use Auth0.js, all these (validating ID token, calling /userinfo, etc) will be done automatically for you.


Tx, this was a great help!

Thanks priya!

I had the same issue as @uxgent.

In the auth0.js example (line 276 of example/index.js), I added the following to the instantiation of webAuth:

    webAuth = new auth0.WebAuth({
      audience: 'http://localhost:5000',   // <------------------- ADD
      domain: domain,
      redirectUri: REDIRECT_URL,
      clientID: clientId,
      responseType: 'token id_token',
      plugins: [
        new CordovaAuth0Plugin()

I now receive a JWT access token.

1 Like

If I add ‘audience=’ to the URL, then it no longer prompts for login, and redirects to the URL without the #… Token at all WTF?

I’m attempting to switch an app that uses ADFS over to Auth0 for the Dev/QA environments (and maybe later just in general), so I’m using the Angular OAuthService, and not any Auth0 objects. To add the Audience I simply added:

    this.oAuthService.customQueryParams = {
        'audience': 'http://localhost:4205'

And now nothing works at all, before it was returning the access_token as garbage (not a JWT at all), and the id_token as what I’m looking for (except the oAuthService is only looking at the Access_Token and injects that into further requests and gets “Invalid Token”) . It doesn’t seem to matter how I configure Auth0 for Single page app, or for normal web app, nothing seems to work.

Any idea why it does something crazy if you specify the Audience?

I’d ask customer support, but they aren’t interested in helping people become paying customers, only helping people who already are.

Also, if I could get OAuthService to just use the Id_Token and inject that (it is requesting an Id_Token, but not using it) I could do that, because ADFS returns both tokens correctly, and I could use either one of them. However, OAuthService doesn’t let you set the token (makes sense, kind of invalidates the security if you can just set it’s AccessToken = IdToken)… Would be happy with that solution too… I was looking for a way to just have Auth0 return the AccessToken. (I’ve not setup any APIs on Auth0 - maybe that is what I need to do?)

OMFG!! - I changed it to ‘Audience’ and it started prompting for login, is it case sensitive? However, it still gives a short access token that is useless, so any other ideas people?

I did some research and it works for me.


  1. Need to use audience
  2. Configuration in my angular app. All the keys are case sensitive.
    clientID: <your_client_id>',
    domain: '<>',
    audience: 'https://<>/api/v2/',
    redirect: 'http://localhost:4200/callback',
    logoutRedirect: 'http://localhost:4200',
    scope: 'openid profile email'


  1. If you want access token as JWT then you must have to set audience.
  2. Set APIs https://<>/api/v2/ in audience as given above example. Userinfo endpoint not working for me.
  3. In the URL / is required at last. https://<>/api/v2/
  4. Node side JWT verification
const authCheck = jwt({
    secret: jwks.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: 'https://<>/.well-known/jwks.json'
    // This is the identifier we set when we created the API
    audience: 'https://<>/api/v2/',
    issuer: 'https://<>/',
    algorithms: ['RS256']
  1. In the URL / is required at last. https://<>/api/v2/ and https://<>/

I’ve update code in my github. Github: GitHub - kdhttps/auth0-angular-node: Auth0 authentication with Angular and NodeJS


Thanks a lot @kdhttps for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

For future reference :books:

1 Like