I currently have a React/NextJS SPA set up where we use Auth0 to register/login users, that all works nicely and upon sign-in we’re able to retrieve either an
access_token (not a JWT) or an
id_token (which does appear to be a JWT). We have a separate API which we want to then pass one of these tokens to and use it to authenticate and make sure the user has sufficient permissions for their request. From what I’ve read and understand, we should be taking the
access_token and using that to authenticate our routes. The
access_token however didn’t seem to be a JWT. When I change the
audience to be the identifier of our API (that I created on Auth0) it then starts to return a JWT for the
access_token. I just wanted to know if that’s the proper way to do this or if I should be tackling this a different way. Any help is appreciated.