Building Secure APIs with Rails 6 and Auth0

Learn how to easily integrate Auth0 with Rails 6 to build secure APIs.

Learn more

Brought for you by John Brennan

1 Like

Let’s join the discussion and let us know your thoughts Ruby developers!



You need to add audience to your auth_config.json then specify the audience in createAuth0Client. Your audience is the “Api Identifier”, handily labelled as “API Audience” on the dashboard list of API’s

  auth0 = await createAuth0Client({
    domain: config.domain,
    client_id: config.clientId,
    audience: config.audience

Then use the same options (or at the very least specify the audience again, when calling getTokenSilently)

const accessToken = await auth0.getTokenSilently(auth0.options);

This will return an accessToken that is a JWT


For my client integration I am using the auth0-spa-js tutorial. I call getTokenSilently() but the access token returned is only 32 characters long and clearly a different format. Am I missing a step to transform the client issued token into a JWT?
This gettokensilently-returns-a-32-character-string-not-jwt explains that you have to set the audience. I have tried setting the audience, restarting my SPA and double-checking that the options are being sent on login but I only ever receive a 32 char string, not a JWT.

The code to get the AccessToken is thus:

  const accessToken = await auth0.getTokenSilently();
  console.log("Access Token")

Note, I have not specifically configured any audience or scopes with Auth0 - it is pretty much vanilla setup.

Your response appreciated.

1 Like

Howdy, @itinsley! Welcome to the Auth0 Community and thank you for reading the blog post. I am glad that you got the issue sorted out.

That’s right, the audience parameters, which as you point out is the API Identifier in the Auth0 Dashboard, helps you get the access token needed to make API calls.

This guide section is using the React SDK, but under the hood, that SDK uses the Auth0 SPA SDK:

It highlights the initialization needed to get an access token.

Do you think that it would have been helpful to have included a demo client with this Rails blog post showing how to make protected API requests from a client to the Rails API?

1 Like

Hi, thanks for getting back to me. Yeah, I imagine that what I was trying to do is pretty common. I was setting up a Rails API and a React Front-End with Auth0 for security but I had to work from two different tutorials and this audience setting was pretty critical and took a while to find as I don’t think it is mentioned in the auth0-spa-js tutorial