Cant use JWT with (short) access_token. id_token works

Hi i’ve setup a simple app with vuejs, (follwing the Auth0 Vue SDK guide) and an express server as my api (for accessing my database)

Now i wanted to restrict the access to my express server, to only serve registered users. Therefore i followed the “Auth0 Node (Express) API SDK” guide. In the end of the guide, i’m being asked to populate my client sided requests with an Authentication header. I thought it would suffice to assign “Bearer <access_token>” to my Authentication header, but for some reason the API always returns a “JWT malformed” error. On the other hand, if i assign the <id_token> to the Authorization header everything seems to works fine. Is this a problem, shouldn’t i use the <access_token>? Why is the access_token so short?

I’m grateful for any help

You’re spot on to be using an access token to secure your api.

It sounds like you’ve got an opaque access_token, opaque tokens are much shorter than JWTs.

I see the Vue SDK guide you followed had you set the audience to 'https://<YOUR TENANT>.auth0.com/userinfo' when instantiating auth0.WebAuth. This audience will result in the access_token being an opaque string (see access token docs).

Try changing the audience on the client side request to the value you entered in first step of the Node SDK guide. That should result in the access_token being a JWT.

Let me know if that helps.

Setting the audience to my api’s identifier, did the job.
Thanks a lot !