Can I read the Access Token from my frontend app?

Question: Can I read the Access Token from my frontend app?

Answer:

Generally, you shouldn’t.

Each token issued by Auth0 has an intended audience. The audience indicates who should consume the token. Read more about that here.

Your frontend application may be able to decode the Access Token, but it should not, as it is not the intended audience of this token.

Instead of looking inside the token, we recommend using Actions to add custom claims to the ID Token that provides the information necessary to your frontend application.

This could be custom data in the user’s metadata or information about the user, like Roles.

Let us know if you have any questions!

Supporting Documentation:

Documentation: Auth0 Actions, Create Namespaced Custom Claims, Understand How Metadata Works in User Profiles, Manage Role-Based Access Control Roles
Community Topic: What is the Audience?

2 Likes