Cannot Decode Access Token or "Corrupted JWT"

Problem statement

We often try to decode an opaque JWE token on our Client Application but we get some errors.

A JWE token looks like this:
This is an example copied from RFC 7516 - JSON Web Encryption (JWE), but edited a bit. Unlike JWT, it has 4 dots (.) in it, and the 2nd part of the token between the 2nd and the 3rd dots is empty.



When you get an Access Token without specifying an audience, it becomes an opaque JWE token that only makes sense to our internal (Authentication) API.


You should not decode an Access Token and rely on its payload on a Client Application. Instead a resource server (API) should do that. If you are confused by the concept of Access Token/Oauth, please check this articles of ours: