Email not included in JWT access token payload

Hello,

I am having an issue. i have added the email scope but still the user email is not included in JWT access token payload

i am using next.js in frontend where i am getting the token
this is how i am handling my login in next api routes

import { handleAuth } from '@auth0/nextjs-auth0';

if (
  !process.env.AUTH0_BASE_URL ||
  !process.env.AUTH0_SECRET ||
  !process.env.AUTH0_ISSUER_BASE_URL ||
  !process.env.AUTH0_CLIENT_ID ||
  !process.env.AUTH0_CLIENT_SECRET
) {
  throw new Error('Missing Auth0 environment variables');
}

// Note: We do not use `params` in this route handler. The warning can be ignored.

export const GET = handleAuth();
export const POST = handleAuth();
export const PUT = handleAuth();
export const DELETE = handleAuth();

and in the backend i am using nest.js
this is my JWT strategy in my backend

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor() {
    super({
      secretOrKeyProvider: jwksRsa.passportJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequests PerMinute: 5,
        jwksUri: `${process.env.AUTH0_ISSUER_BASE_URL}.well-known/jwks.json`,
      }),
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(), // Use our custom extractor
      audience: process.env.API_ENDPOINT, // must match one value in the token's "aud" array
      issuer: process.env.AUTH0_ISSUER_BASE_URL, // must match token's "iss"
      algorithms: ['RS256'],
    });
  }

  async validate(payload: any) {
    return payload;
  }
}

JWT access token payload

{
  "iss": "https://dev-ba1x5rok53uuqkl0.us.auth0.com/",
  "sub": "auth0|6808ca7135629091a4429fa8",
  "aud": [
    "http://localhost:8080",
    "https://dev-ba1x5rok53uuqkl0.us.auth0.com/userinfo"
  ],
  "iat": 1745503663,
  "exp": 1745590063,
  "scope": "openid profile email",
  "azp": "M2uAyZhg5X9ecdWiKiYp0PP47NVXNOnD"
}

Hi @nicolatesla0987,

Thanks for you question.

I have answered your question in this thread.

TLDR:
Essentially, you can find the email_address and email_verified claims in the ID token rather than the access token. This is mentioned in our Sample Use Cases: Scopes and Claims documentation.

If you want them to be in the access token, you might try appending them as custom claims.

Cheers,
Rueben

I have added openId and email scope but still not getting the email in the payload

as you can see i have added openId and email in my scopes but still there is no email in the payload

export const GET = handleAuth({
  login: handleLogin({
    authorizationParams: {
      scope: 'openid profile email',
    },
  }),
});

JWT Payload

{
  "iss": "https://dev-ba1x5rok53uuqkl0.us.auth0.com/",
  "sub": "google-oauth2|102581212202536419417",
  "aud": [
    "http://localhost:8080",
    "https://dev-ba1x5rok53uuqkl0.us.auth0.com/userinfo"
  ],
  "iat": 1745581754,
  "exp": 1745668154,
  "scope": "openid profile email",
  "azp": "M2uAyZhg5X9ecdWiKiYp0PP47NVXNOnD"
}

Hi @nicolatesla0987,

Thanks for your response.

The decoded token you shared looks like an access token payload claims.

Have you made sure you are decoding the ID token?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.