Auth0 Home Blog Docs

Checking token validity/expiry



My goal has always been to implement the architecture proposed in this article. Basically I want access tokens (i.e. opaque) to be exchanged on the internet, and ID token (i.e. JWT) inside my private network. With Auth0 I’ve used the following architecture:

![alt text][1]

My web client uses Auth0.js to login, auth0 sends both access token and JWT. All API calls to my backend server go through an API Gateway (edge service) which expects the access token to be passed in the headers. The edge service will then call /userinfo endpoint from auth0 to get the user profile. It then creates its own JWT using this profile, signed with my own keys as opposed to the Auth0 key.

This has the major drawback of making a call to Auth0 for every API call, so I’ve added caching of the /userinfo response. However this API call does not return the expiry date of the access token. Thus, if I use the access token as the key in my cache, I cannot know when this access token will expire.

Is there a way in Auth0 to know the expiry date of an access token?

Alternatively, is there a better architecture? Do people usually send an ID token to their backend so it can be verified without calls to Auth0?


A typical access token [payload] ( will look something like:

  "iss": "",
  "aud": "",
  "iat": 1518189923,
  "exp": 1518197123,
  "scope": "openid profile email"

As you can see, you have two unix timestamps, iat and exp, the Issued At and the Expiration Time claims, respectively. You can check the validity of the access token by decoding it and checking the exp value. For more info on decoding JWTs, please check:


That very much looks like an ID token (i.e a JWT) and not the access token (i.e. opaque) I was referring to


Access tokens can also be JWTs, this would enable you to check the expiration value. From the documentation:

If the audience is set to the unique
identifier of a custom API, then the
Access Token will be a JSON Web Token


yes I know, that’s the alternative design I am mentioning in my question. I’ve actually already done that, I now send a JWT instead of an opaque token. But I’m still curious to see if people consider this best practice or not