Hey, all: New to the whole security domain and am sure that this question has been asked before, I just don’t know quite what to search for it. Sorry for the lazy links, Auth0 doesn’t like me embedding stuff.
At the moment, I have a React SPA (located at www[dot]portfolio[dot]dev[dot]aidsbooger[dot]com) that I can sign into and generate a bearer and ID token.
screenshot: webpage with token → i[dot]imgur[dot]com/qyIZ23Y.png
If I decode my identity token on jwt[dot]io, I get the following JSON:
{
"http://hicksm.dev/roles": [
"Admin User"
],
"nickname": "mason",
"name": "mason@hicksm.dev",
"picture": "https://s.gravatar.com/avatar/35ce320f1103a537d00069f3e812da3c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fma.png",
"updated_at": "2025-06-27T15:03:00.783Z",
"email": "mason@hicksm.dev",
"email_verified": true,
"iss": "https://auth0.portfolio.dev.aidsbooger.com/",
"aud": "{{spa_application_identifier}}",
"sub": "auth0|685966e1009f76c90b9caa66",
"iat": 1751136598,
"exp": 1751172598,
"sid": "qnNrIRUQ5s0iQx34GwvLWnDS2sgLtdEz",
"nonce": "{{b64_nonce}}"
}
The http://hicksm.dev/roles claim is also passed to my bearer token.
I have an API, source here (github[dot]com/ward-sphere/web-experience/tree/service), to which I would like to pass my access token in order to authenticate a user (myself) and validate the http://hicksm.dev/roles claim so that I can update my website’s delivered content via REST API, but currently I am getting a 401 Unauthorized on all of the write/update/delete endpoints when doing so with the HTTP Authorization: Bearer <access_token> header.
What resources do I need to look through in order to be able to retrieve and pass a token that authenticates someone with the Admin User role in Auth0 to use said endpoints? Or am I just overlooking something small?
If I can provide any addn’l specific info or design documents please let me know. If this question has already been answered with better clarifying language that would also be great.