The ID token does indeed get passed from Auth0 (the authorization server) to a user’s browser. Token’s are typically stored in memory, but can also be stored in local storage. An ID token is the result of user authentication whereas an access token is the result of authorization. Here’s a super helpful video explaining the difference
The following documentation is also helpful in providing a high level overview (I reference it often as a refresher):
Thank you for your help!!! If I wear out your patience, just let me know, but I do have a few follow-up questions.
There’s an id_token and an access_token, and the former I guess identifies the user and proves that they’ve logged into (been validated by) Auth0, whereas the latter I guess grants access to an API. Question: do I need both? It seems like the id_token is essential, but I can’t figure out a use for the access_token in my application.
The access token is used to call an API - Typically, this is added as a header in a request to an external API at which point the API verifies it and additionally checks for permissions. Some libraries that do this can be found here.
You can technically use the Authentication API to carry out most login functionality typically managed by Auth0 SDKS - The API will return tokens, but storage would be entirely up to you at that point without an SDK.