AccessToken validation guard

I created a validation guard like this Auth0 Node (Express) API SDK Quickstarts: Authorization, but encountered two interesting moments.

  1. In case when the token is expired I still getting a valid response.
  2. I can send idToken instead of accessToken and the response is still valid
    Is this correct behavior or I am doing something wrong?

You should not get a valid response from a protected endpoint in either of these scenarios. Something is likely configured incorrectly.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.