Auth0 Home Blog Docs

Controlling payload for JWT



When using the Auth0 lock widget, I am forced to make it OIDC-compliant in order to specify an audience property. Once I do this, I throw an error whenever I run lock.getUserInfo:

{original: Error: Unsuccessful HTTP response
at Request. (http://localhost:5421/bundle.js:17429:…, statusCode: 401, code: “unauthorized”, description: “invalid credentials”}

If either I can get this method working, or if I can force the payload in my JWT to expose either a username or email, then my problem will be solved. Presently, my JWT exposes a property called “sub” that uniquely identifies a user, but I would prefer an email to be shown…how I might control the properties exposed in the JWT payload?


If you’re doing OIDC compliant authentication then you can request user information through the standard scopes that the specification defines. In particular, if you perform a request with the scope openid email then any ID token issued as part of that transaction will include the email and email_verified claims if the corresponding information is available for the user in question.

In addition to the above you can also add any custom claims through the mechanism explained here.

With regards to calls to /userinfo endpoint have in mind that these require that you provide an access token (not an ID token) suitable to call that endpoint.