Auth protected app with custom sign in screens

I’ve read around the docs a few times but I don’t fully understand how to use Auth0 as a simple REST API to allow me to use custom sign in screens. The SDK and Lock don’t seem to meet that criteria as the former redirects off-site and the latter embeds the Auth0 component.

This is where I have got to:

  1. Hit /oauth/token to retrieve id_token and access_token
  2. Store token in local storage (in order to save authed state across sessions)
  3. Hit /userinfo endpoint to retrieve user profile

Is this the right approach? Is there a better way?

The next part I need to do is to validate a saved access_token, which I think I do by analysing the expiration date in the JWT token?


I guess this disproves the idea to decode the JWT, so what’s the best way to validate a saved access_token using a REST API?