There are two sections to look into in this flow, the SPA and the API. When you make a request to the /authorize endpoint and you use an audience like https://YOUR_DOMAIN.auth0.com/userinfo with a response_type='token id_token' you’re asking Auth0 to provide you with an access_token that will have the /userinfo audience and with an id_token that has some information about the user.
When you use YOUR_DOMAIN.auth0.com/userinfo as an audience parameter, you get a short access token (like the one you received) that is not designed to call your own API, as @priya.sharma.9362 said. It’s only meant to be used to call Auth0’s userinfo endpoint. If you want an access_token that can be verified and consumed by your API you need to do the following:
- Create an API in Auth0 as explained in this document. The API identifier will be
audiencethat we will use later. It’s highly recommended that you use RS256 as a signing algorithm - Use the identifier of the API you created as the
audienceparameter in the request to/authorizeeither manually or throughauth0.WebAuth({}). Useresponse_type='token id_tokento get both an access and an id token back. - Verify that you get back an
access_tokenwith the proper audience. You can use jwt.io to inspect it. - Make a request to your API with this
access_tokenas part of theAuthorizationheader (Authorization: Bearer <access_token>) - Verify your
access_tokenin your API. This process is explained in this document in greater detail. In particular, you should verify the audience (audclaim), the issuer (iss), the algorithm should be RS256 and you should usehttps://YOUR_DOMAIN.auth0.com/.well-known/jwks.jsonto get the proper keys. You may also need to check the scopes depending on your use case.