Access token vs id token

Hi all,

I am currently implementing an API in which I understand the best practice is to secure using an access token rather than an id token. I am currently unsure about how to validate the access token. The documentation here claims that the access token should be a valid JWT, though the token I am seeing is not (It is a 32 character string without clear sections for the header, payload and signature). The documentation is quite confusing so could someone please provide some advice on the correct way to validate the provided access token to authenticate API endpoints (I am currently using FastAPI)?



Hi @william.richards

You MUST specify an audience when requesting an access token. The audience is the name of the API that the token is valid for. If you do not specify an audience you get an opaque access token (that 32 character string you are seeing).