Auth0 Home Blog Docs

Authorize user from Lock of SPA with API



I have an SPA client and an API set up in Auth0
How can I get a valid access_token for my API from Auth0Lock authentication from within the SPA?
My lock configuration contains the following:

auth: {
    params: {
        scope: 'openid email',
        audience: 'API IDENTIFIER'
    response_type: 'id_token token',

The ‘accessToken’ i receive along with the ‘idToken’ from the lock authentication is always 16 characters long, is not a valid JWT and not usable to authenticate with my API.
Any ideas on what I could be doing wrong?


At this time, using Lock embedded within the client application itself does not fully support the API Authorization feature set and there’s also no formal documentation on what you could try to experiment with from what’s available. Although there is a work in progress to provide this possibility, for now I would recommend you to consider the use of Auth0.js v8 which fully supports it and for which there is documentation.

In particular, you should take a look at the authorize method which allows you to redirect to the hosted login page (and still show Lock there) which could mean a similar experience while being able to leverage the API authorization functionality.


Ah I see.

We’ve now stepped away from the Auth0 Lock by building our own login page and are now only using the Auth0js lib.