Building Secure APIs with Rails 6 and Auth0

Learn how to easily integrate Auth0 with Rails 6 to build secure APIs.

Learn more

Brought for you by John Brennan

1 Like

Let’s join the discussion and let us know your thoughts Ruby developers!



You need to add audience to your auth_config.json then specify the audience in createAuth0Client. Your audience is the “Api Identifier”, handily labelled as “API Audience” on the dashboard list of API’s

  auth0 = await createAuth0Client({
    domain: config.domain,
    client_id: config.clientId,
    audience: config.audience

Then use the same options (or at the very least specify the audience again, when calling getTokenSilently)

const accessToken = await auth0.getTokenSilently(auth0.options);

This will return an accessToken that is a JWT


For my client integration I am using the auth0-spa-js tutorial. I call getTokenSilently() but the access token returned is only 32 characters long and clearly a different format. Am I missing a step to transform the client issued token into a JWT?
This gettokensilently-returns-a-32-character-string-not-jwt explains that you have to set the audience. I have tried setting the audience, restarting my SPA and double-checking that the options are being sent on login but I only ever receive a 32 char string, not a JWT.

The code to get the AccessToken is thus:

  const accessToken = await auth0.getTokenSilently();
  console.log("Access Token")

Note, I have not specifically configured any audience or scopes with Auth0 - it is pretty much vanilla setup.

Your response appreciated.

1 Like

Howdy, @itinsley! Welcome to the Auth0 Community and thank you for reading the blog post. I am glad that you got the issue sorted out.

That’s right, the audience parameters, which as you point out is the API Identifier in the Auth0 Dashboard, helps you get the access token needed to make API calls.

This guide section is using the React SDK, but under the hood, that SDK uses the Auth0 SPA SDK:

It highlights the initialization needed to get an access token.

Do you think that it would have been helpful to have included a demo client with this Rails blog post showing how to make protected API requests from a client to the Rails API?

1 Like

Hi, thanks for getting back to me. Yeah, I imagine that what I was trying to do is pretty common. I was setting up a Rails API and a React Front-End with Auth0 for security but I had to work from two different tutorials and this audience setting was pretty critical and took a while to find as I don’t think it is mentioned in the auth0-spa-js tutorial

I’m following this guide for building my first Rails 6 + Auth0 API,
Buy I’ve encountered an issue I can’t find a solution to, please help me understand where to look for an answer:

I’m trying to make a first authenticated ‘create’ action by running:

curl -H “Content-Type: application/json” -H “Authorization: bearer $API_TOKEN” -d ‘{“body”:“this is my first chirp!”, “published”:true}’ -X POST http://localhost:3000/chirps

My server responds with the following error:

Errno::ECONNREFUSED (Failed to open TCP connection to :80 (Connection refused - connect(2) for nil port 80)):

app/lib/json_web_token.rb:19:in jwks_hash'** **app/lib/json_web_token.rb:14:in block in verify’
app/lib/json_web_token.rb:7:in verify'** **app/services/authorization_service.rb:20:in verify_token’
app/services/authorization_service.rb:8:in authenticate_request!'** **app/controllers/secured_controller.rb:7:in authorize_request’ - - [02/Jan/2021:12:54:19 IST] “POST /chirps HTTP/1.1” 500 19247
- -> /chirps

My environment is Ubuntu 20.04.1 LTS under WSL2:
PS C:\Users\YOLA> wsl -l -v
Ubuntu Running 2

Rails Server:
=> Booting WEBrick
=> Rails application starting in development http://localhost:3000


Howdy, Yonyossef! Thanks for reading this blog post :slight_smile: Could you please try using https in the request URL instead of http?

curl -H “Content-Type: application/json” -H “Authorization: bearer $API_TOKEN” -d ‘{“body”:“this is my first chirp!”, “published”:true}’ -X POST https://localhost:3000/chirps

Results in:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

This topic was automatically closed 26 days after the last reply. New replies are no longer allowed.