Auth0 Resource Owner Password Flow with JWT Tokens Error

Hi all,

I am working on a project that implements the Resource Owner Password flow from Auth0 with Express, however, I am running into an error.

Here’s the code:

import express, {Request, Response, Express} from "express";
import {auth} from "express-oauth2-jwt-bearer";


const PORT = process.env.PORT || 8080;

const checkJwt = auth({
    issuer: process.env.AUTH0_ISSUER_BASE_URL,
    audience: process.env.AUTH0_AUDIENCE_URL,
    secret: process.env.SECRET,
    tokenSigningAlg: "HS256"

const app: Express = express(),
    port = PORT;


app.get("/", (req: Request, res: Response) => {
    const auth = req.auth;
    res.json({"status": "Authenticated"});

app.listen(port, () => {
    console.log("Server listening on port " + port);

After I obtain an access token from Auth0, I try to use it with my own API but receive the following error:

InvalidTokenError: KeyObject or CryptoKey instances for asymmetric algorithms must not be of type "secret"

Hi @cameron_codes,

Welcome to the Auth0 Community!

If you inspect the token (you can do so at, what signing algorithm does it use? You should see it in the token header as the alg claim.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.