Azp field in the access token


I have few questions about azp (Authorized Parties) field that exists in the access token generated by https://<TENANT-DOMAIN>/oauth/token.

  1. Why Auth0 adds azp field into the access token? Correct me if I’m wrong, but my understanding of azp is that it’s not part of OAuth claims, but part of OIDC claims.
  2. Would it be save if my web service doesn’t check azp field? And why it is save or not save?

Hello @herry

I don’t think azp is generated by default for access tokens. Are you using rules? Maybe one of them is adding it. Can you post a sample access token here?


1 Like

Yes, I’m using rules. I can confirm that azp is not added by my rules.

Here’s the example access token

  "iss": "https://<TENANT-DOMAIN>",
  "sub": "google-oauth2|82128273155679976732",
  "aud": [
  "iat": 1595518621,
  "exp": 1595554621,
  "azp": "ELuXIbyntYQwIgUb8kFRmAotDzoGdPQZ",
  "scope": "openid profile email",
  "permissions": ["permission"]

FYI, azp is also added if I use the client-credential flow for machine-to-machine authentication. Here is the example of the access token:

  "iss": "https://<TENANT-DOMAIN>",
  "sub": "rfQAKvUnjqBgDV4ZULGDligPNFTwOvLY@clients",
  "aud": "<AUDIENCE>",
  "iat": 1595518584,
  "exp": 1595554584,
  "azp": "rfQAKvUnjqBgDV4ZULGDligPNFTwOvLY",
  "gty": "client-credentials",
  "permissions": ["permission"]

I also can confirm that none of my hooks add azp field.

Hi @herry

There is a draft spec for OAuth access tokens that discusses the client_id field:
The client_id field is just the azp field by a different name (the azp field was probably added to the access token before the draft spec was published).
So that is why it is there.

As long as you follow the recommended checks (which do not include client_id or azp) you are doing the right thing.


Thank you @john.gateley. The reference of the IETF document is very useful.

I’m not aware of any Auth0 documentation that explains azp field of the access token. It would be great if we have one.