Auth Token via Postman has no payload

I have configured postman as above. However, when I do this I get an access token with an empty payload.

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9hZnRlcmxpZmUtZGV2LnVrLmF1dGgwLmNvbS8ifQ..ANVgXBZP8dlASE_S.rKuROKXZ7iViOaSMhZTNxQ3xhPvenHMLP25APdAs1nh3gutEV03nDYewPf6PWJwM8Za3KxhAgkkcrfuAVulkLmoN19QuON200N_GXATEeBdAagD2lknrsyDcknWgDB94d97pLqG_Nw3iZYOBJZmA9QcJQ0wrKgqX6iiINa7BABSzpkpxtM_dWIrTfR4qj6eTQjyON4YZbHyW4vBTXxcu55-0rTDAX1nPGrgcqYc9PEUCkoJr3g78q8adY1HjMQLEsnzyfUrWNOs0sNc5pga9snk9laaK9izcYU7mOeSkj6Tcnl41dhM_i-PAdYf23KUQdmspxibIxfcH7qHGjo6gH3XkCGUzhks-ei4E-egZhhI909fNlaVklDb1Z32SKpPl0Wl-gdBsiwW8Gleatbdska916ODf9it_6P-EBcMNpjIT-R9JiQ15GbWB-BM.2d7vP2ItTX2pDxVYeFCzrg

This is the decoded version from JWT.io

The access token when I authenticate as that user via Authorisation Code Flow with PKCE has a full payload and the header has different properties.

What am I doing wrong?

Hey there @baynezy !

From the looks of it, you aren’t passing an audience in the request to /token and are thus receiving an opaque access token - If you add in an audience param (API identifier) you should be good to go.

https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-resource-owner-password-flow#example-post-to-token-url

Thanks @tyf
I have updated the request to include audience as a query string parameter. As postman doesn’t seem to support that natively.

This article seems to suggest this is the correct solution.

However, I am still getting an opaque token.

I have read the article that you posted and double-checked that I am doing as it suggests. I am so lost on what to do next. As nothing I tweek seems to work.

Hey @baynezy sorry for the delayed response!

Hmmm that’s super odd :thinking: I just tested in Postman myself, adding the audience param in the “Token Request” section and it’s working as expected. Can you double check that the audience you are passing is the exact same as the API Identifier listed for the API you’ve registered in Auth0? Additionally, it might be worth trying to cURL outside of Postman to see if that works.

@tyf firstly, please don’t apologise for the slow response. I really appreciate your help.

Secondly, adding the audience to the Token Request section as a Request body parameter did mean I got back a non-opaque token. However, my API won’t accept it as it says it has the wrong audience. I am going to create a new topic about that, and I will link to it here.

Thanks again.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.