Auth0 Home Blog Docs

Access_token too short ~ jwt malformed



Hi, I have a React app that built using your sample code that talks to a secure api running express and the React app returns a access_token but it’s too short, e.g.:

Authorization: Bearer O0PDdG2DjHQLLxOQYiPBT5qCbKtItgW3

Now I give this to my Express Server to decode with JWT (using your example):

var jwtCheck = jwt({
  secret: jwks.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 15,
      jwksUri: ""
  audience: '',
  issuer: "",
  algorithms: 'RS256']

Here’s the React Auth0 credentials:

export default class Auth {
  requestedScopes = 'openid profile read:messages write:messages';

  auth0 = new auth0.WebAuth({
    domain: '',
    clientID: '543534543535353453354',
    redirectUri: 'http://localhost:3000/callback',
    audience: '',
    responseType: 'token id_token',
    scope: this.requestedScopes

Any ideas where I’m going wrong?

Every time I give the access_token to JWT it tells me the JWT request is malformed.

Been at this for 2 days, any help greatly appreciated :frowning:


I have the same problem. But the idToken works


It might be possible that your access_token is not a JWT instead it is a string.
You can ask for a JWT token by setting appropriate audience.
Here are some helpful links -

1- []

2- []

Hope this helps!


There are two sections to look into in this flow, the SPA and the API. When you make a request to the /authorize endpoint and you use an audience like with a response_type='token id_token' you’re asking Auth0 to provide you with an access_token that will have the /userinfo audience and with an id_token that has some information about the user.

When you use as an audience parameter, you get a short access token (like the one you received) that is not designed to call your own API, as @priya.sharma.9362 said. It’s only meant to be used to call Auth0’s userinfo endpoint. If you want an access_token that can be verified and consumed by your API you need to do the following:

  • Create an API in Auth0 as explained in this document. The API identifier will be audience that we will use later. It’s highly recommended that you use RS256 as a signing algorithm
  • Use the identifier of the API you created as the audience parameter in the request to /authorize either manually or through auth0.WebAuth({}). Use response_type='token id_token to get both an access and an id token back.
  • Verify that you get back an access_token with the proper audience. You can use to inspect it.
  • Make a request to your API with this access_token as part of the Authorization header ( Authorization: Bearer <access_token> )
  • Verify your access_token in your API. This process is explained in this document in greater detail. In particular, you should verify the audience ( aud claim), the issuer ( iss ), the algorithm should be RS256 and you should use to get the proper keys. You may also need to check the scopes depending on your use case.


This is helpful @anny thanks, but I still need help.
I have a single page app, I do this:

  1. auth0.WebAuth.authorize(…)
  2. I receive a short access_token and a token_id, like you said.
  3. I pass access_token to webAuth.client.userInfo to get the userId.
  4. Now I want my backend (express/mongodb) to operate on this userId.
  5. For example, my backend has an /api/createProject endpoint, I want a user to request. Am I supposed to send the userId and short access_token with this request to my backend? If yes, how will my backend validate that the short access_token is valid and handle the request?


@anny So, if someone has the acces token that’s a string (not a JWT), here are some simple yes/no questions, supposing when does a call to /authorize and an audience (and default response types), and using RS256:

  1. one can a call the /userinfo endpoint?
  2. that call returns a result if the access token is set as Bearer in the Authorization header
  3. if the call returns the user info, can I assume that it means that the user is authenticated properly? (So, instead of validating a JWT, on could do a call to /userinfo to validate the access token and get some claims about the user (like email etc)?)

#9 If you’d like to authorize APIs with access tokens, you have to create an API in Auth0 and request this API’s access with the audience parameter when you’re authenticating. This will give you a JWT access token that you can send to the API, and the API can validate the JWT.
I won’t go into more detail, but there are a lot of docs that explain the process:


If you come across any specific problems, feel free to create a new discussion.

@kurt.sys It’s yes for all the questions. If you use Auth0.js, all these (validating ID token, calling /userinfo, etc) will be done automatically for you.


Tx, this was a great help!


Thanks priya!

I had the same issue as @uxgent.

In the auth0.js example (line 276 of example/index.js), I added the following to the instantiation of webAuth:

    webAuth = new auth0.WebAuth({
      audience: 'http://localhost:5000',   // <------------------- ADD
      domain: domain,
      redirectUri: REDIRECT_URL,
      clientID: clientId,
      responseType: 'token id_token',
      plugins: [
        new CordovaAuth0Plugin()

I now receive a JWT access token.