Auth0 Home Blog Docs

API Authentication With Access Token vs. ID Token


I’m currently implementing passwordless authentication with a SPA + API. We’re storing most user information in our DB. My goal is to only allow users to read their own records from the API.

It seems like I can do this using only ID tokens. So the user would hit a link in their email which would redirect to my SPA. The SPA would receive an access token and ID token corresponding to the user. The SPA would then make a call to the API for the user’s details.

Is there any reason I need to use the access token when calling my API? Can I not just pass along the ID token, then check the ID token details and signature in the API before responding?


Although you could use id_token’s in your API, this is not the standard and most secure way of securing your API. We have a lot of docs about this, so I’ll leave a few of them so you can take a look. Feel free to ask more questions, if you have any left (our docs are amazing :tada:)