Authorization code flow returns opaque token instead of JWT even though audience is set


I’m trying to request an access token for an api using the authorization code flow. I’m using Postman’s built in access token getter. The application it’s authenticating for is an SPA. I have all the urls set and also an audience, but it receives an opaque token instead of a JWT. The Auth0 docs say a JWT should be returned if I request an audience.

Anyone know what might be the problem?

Hi @brady.dean,

Welcome to the Auth0 Community!

I understand that you’ve been obtaining an opaque token instead of a JWT access token.

Yes, that is correct. You will need to specify the audience parameter to get a JWT access token. Without specifying an audience parameter will return an opaque token with the information from the /userinfo endpoint. This is consistent with our Control Access Token audience documentation.

I have just tested this myself and can confirm that including the audience returns a JWT token, whereas excluding the audience returns an opaque token. This is working as expected.

In this case, I recommend that you make sure that the /authorize request when using Postman recognizes the audience parameter or the changes you made to your request.

Please let me know how this goes for you.

Thank you.

Thanks for double checking with the audience parameter. I’ll try to see if I can find more information about Postman.

The Postman console is showing the audience set in the request body to /oauth/token.

Hi @brady.dean,

Thank you for your responses!

I believe you’ll need to adjust the audience parameter when you make the /authorize request to obtain the authorization code.

For example:


In this request, please specify the audience parameter with your API identifier. Then in the response, you’ll obtain an authorization code that will allow you to use with the /oauth/token endpoint to obtain the Access Token as a JWT.

Please let me how this works out.

Thank you.

Postman doesn’t seem to be log the request to /authorize. I don’t know what it’s sending there.

I’ll take your word that Auth0 is handling the requests correctly. It seems to be an issue with Postman. I filed a bug report for the logging so hopefully that uncovers a deeper issue.

Hi @brady.dean,

I am unsure what is happening on your side with Postman. But have you followed our Call Your API Using the Authorization Code Flow docs?

Personally, I have managed to get this to work by doing the following:

  1. Open a web browser and put the /authorize request in the URL.

  2. Login with a user that has access to login to the app

  3. Check the Network Activity and the callback URL trace

  4. The response should follow this format https://YOUR_APP/callback?code=AUTHORIZATION_CODE&state=xyzABC123

  5. I copy this code carefully and paste it in Postman with the /oauth/token endpoint and retrieve my Access Token.

This might be worth a try just to rule out that something is happening with Postman.


I tried it your manual way and it worked perfectly requesting the audience at /authorize.

1 Like

Hi @brady.dean,

Great! I’m happy to hear this little manual hack works.

I hope this workaround will be adequate for you to carry on your development.

Please let me know If you have any more questions or concerns. I’d be happy to help.

Thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.