Email not included in JWT access token payload

Get Help
, ,
1

Hello,

I am having an issue. i have added the email scope but still the user email is not included in JWT access token payload

i am using next.js in frontend where i am getting the token
this is how i am handling my login in next api routes

import { handleAuth } from '@auth0/nextjs-auth0';

if (
  !process.env.AUTH0_BASE_URL ||
  !process.env.AUTH0_SECRET ||
  !process.env.AUTH0_ISSUER_BASE_URL ||
  !process.env.AUTH0_CLIENT_ID ||
  !process.env.AUTH0_CLIENT_SECRET
) {
  throw new Error('Missing Auth0 environment variables');
}

// Note: We do not use `params` in this route handler. The warning can be ignored.

export const GET = handleAuth();
export const POST = handleAuth();
export const PUT = handleAuth();
export const DELETE = handleAuth();

and in the backend i am using nest.js
this is my JWT strategy in my backend

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor() {
    super({
      secretOrKeyProvider: jwksRsa.passportJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequests PerMinute: 5,
        jwksUri: `${process.env.AUTH0_ISSUER_BASE_URL}.well-known/jwks.json`,
      }),
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(), // Use our custom extractor
      audience: process.env.API_ENDPOINT, // must match one value in the token's "aud" array
      issuer: process.env.AUTH0_ISSUER_BASE_URL, // must match token's "iss"
      algorithms: ['RS256'],
    });
  }

  async validate(payload: any) {
    return payload;
  }
}

JWT access token payload

{
  "iss": "https://dev-ba1x5rok53uuqkl0.us.auth0.com/",
  "sub": "auth0|6808ca7135629091a4429fa8",
  "aud": [
    "http://localhost:8080",
    "https://dev-ba1x5rok53uuqkl0.us.auth0.com/userinfo"
  ],
  "iat": 1745503663,
  "exp": 1745590063,
  "scope": "openid profile email",
  "azp": "M2uAyZhg5X9ecdWiKiYp0PP47NVXNOnD"
}
3

Hi @nicolatesla0987,

Thanks for you question.

I have answered your question in this thread.

TLDR:
Essentially, you can find the email_address and email_verified claims in the ID token rather than the access token. This is mentioned in our Sample Use Cases: Scopes and Claims documentation.

If you want them to be in the access token, you might try appending them as custom claims.

Cheers,
Rueben

4

I have added openId and email scope but still not getting the email in the payload

as you can see i have added openId and email in my scopes but still there is no email in the payload

export const GET = handleAuth({
  login: handleLogin({
    authorizationParams: {
      scope: 'openid profile email',
    },
  }),
});

JWT Payload

{
  "iss": "https://dev-ba1x5rok53uuqkl0.us.auth0.com/",
  "sub": "google-oauth2|102581212202536419417",
  "aud": [
    "http://localhost:8080",
    "https://dev-ba1x5rok53uuqkl0.us.auth0.com/userinfo"
  ],
  "iat": 1745581754,
  "exp": 1745668154,
  "scope": "openid profile email",
  "azp": "M2uAyZhg5X9ecdWiKiYp0PP47NVXNOnD"
}
5

Hi @nicolatesla0987,

Thanks for your response.

The decoded token you shared looks like an access token payload claims.

Have you made sure you are decoding the ID token?