Hi everyone,
I’m trying to automate some APIs tests with postman.
APIs are secured by Auth0 and we’re connecting with a mobile app (Authorization code flow + PKCE).
I see now postman has the feature to support PKCE, but it seems the token I get back is not a properly formed bearer token.
Some example below.
You’re getting an opaque access token most likely because you’re not including an audience in the authorize request. You can configure a custom API in the Auth0 dashboard and then use its identifier in the authorize request, as the audience.
You can try changing your Auth URL to something like:
https://{{auth0Domain}}/authorize?audience=YOUR_API_IDENTIFIER
You can also read more about opaque and JWT access tokens here:
https://auth0.com/docs/tokens/access-tokens/get-access-tokens#control-access-token-audience
Indeed adding the audience as the first parameter of the authorize request did the trick.
I also realized that myself, thanks anyway 
The same trick doesn’t work on client credentials flow though, still I need to specify audience, but in a POST request now and postman doesn’t seem to allow that
