Auth0 Home Blog Docs

accessToken too small in callback with method .login()




no the client id etc is not real.

I’m trying to build a single page frontend app with VueJS/NuxtJS.
I have to use my own UI instead of the hosted login page.
I call this in my form page.
const webAuth = new auth0.WebAuth({
domain: ‘’,
clientID: ‘AAFL5VodxzGNdaza0lvBTE0JT7lZ8oG4’,
responseType: ‘token’,
‘redirectUri’: ‘http://localhost:3000/callback

On submit, this is called.
await webAuth.login({
realm: ‘Username-Password-Authentication’,
username: email,
password: password
}, function (err) {
if (err) {
throw err.description;

It then logs me in (as far as i can see in the logs from the dashboard) and redirects me to.

I call parseHash() in the callback page where i should as far i as can see pass the hash to the method.
with this.
<----- CALLBACK page ------>
<script> export default { name: "callback", data: function () { this.$store.dispatch('handleAuthentication', this.$route.hash); console.log("callback page"); return {} } } </script>

<----- the script above code calls ----->

async handleAuthentication({commit}, Hash) {
await webAuth.parseHash({hash: Hash}, (err, authResult) => {
if (authResult) {
commit('SET_USER', saveToken(authResult.accessToken));
} else if (err) {
commit('SET_USER', delToken());

The console.log(authResult) in that gives me following object:
“accessToken”: “GsHnQJPxQ9akg4VBgdDxGtUQKOoGhIsd1”,
“idToken”: null,
“idTokenPayload”: null,
“appState”: null,
“refreshToken”: null,
“state”: “3dqLECpdYK8B2DgOR5RZnOHNRldakpalB”,
“expiresIn”: 7200,
“tokenType”: “Bearer”,
“scope”: “openid profile email”

that access token doesn’t look right to me, I do a JWT check with saveToken() and it gives me a message “Invalid token specified: str is undefined”.

What am i doing wrong?
Do I call the wrong method inside the js SDK ?


Hey there, from what I can see the access_token is correct. When you do not request an audience as part of your login you will get an opaque access_token instead of a JWT.

Auth0 has two tokens id_token and access_token. The id_token will always be a JWT. This token will contain data that can be consumed by the client/application. The access_token is a token that represents authorization to a resource server/api. If you do not pass in an audience (a unique identifier of your resource server/api) you will not be issued a JWT for an access_token.


Make sense.
So I can also pass the id_token to my own API that is secured with Auth0?
Or does that only work with access_token ?


The id_token should not be sent to your APIs. If you want to protect your APIs you can model these in Auth0 through he management dashboard. You will be able to create scopes and a Unique identifier for the api. Once you create an API in Auth0 you will use the unique identifier as the audience parameter when you login.

Here is a doc for setting up an api:


I know that part.
And pass the JWT Bearer to my own API to get access.
I’m protecting my website with Auth0.js and my api with Auth0 core package.

They just need to communicate with each other.