Hi! I’m a newbie struggling to wrap my head around Auth0 and I’ve a basic question (well, many, but here’s the first one).
Does the JWT id_token ever get passed from Auth0 to a user’s browser, so that they can then use it to identify themselves to a web application (let’s say, PHP), perhaps storing it as a cookie, or not?
Hey @davidaventimiglia welcome to the community!
Totally understandable, there’s a lot to learn!
The ID token does indeed get passed from Auth0 (the authorization server) to a user’s browser. Token’s are typically stored in memory, but can also be stored in local storage. An ID token is the result of user authentication whereas an access token is the result of authorization. Here’s a super helpful video explaining the difference 
The following documentation is also helpful in providing a high level overview (I reference it often as a refresher):
Hope this helps!
Thank you for your help!!! If I wear out your patience, just let me know, but I do have a few follow-up questions.
Happy to help!
The access token is used to call an API - Typically, this is added as a header in a request to an external API at which point the API verifies it and additionally checks for permissions. Some libraries that do this can be found here.
You can technically use the Authentication API to carry out most login functionality typically managed by Auth0 SDKS - The API will return tokens, but storage would be entirely up to you at that point without an SDK.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.