Generate User Token on behalf of user OR exchange Opaque token with API Management?

I am using Auth0 with Weweb (Front-end builder). The integration currently doesn’t allow me to define an “audience”. Therefore, I only get back the logged in user’s data & an opaque token.

I am using Xano as my BE and I need access to the actual JWT token for the user in order to validate and grant them access to resources after validating their token with Auth0.

I am thinking one of these could help (If they do exist):

  • Somehow exchange the Opaque token through an authenticated API Management (Client secret, ID, etc…) to get an actual JWP user token.
  • OR, generate a new token for the user and then use this generated token within Xano by first validating with Auth0 and then giving the necessary access to the resources.
  • A 3rd option which is less secure would be to just ignore the JWT token and directly pass the user data after they are authenticated to Xano. But in this case, there is no validation that I could do between Xano and Auth0 to make sure the user is who he is.

Would appreciate any ideas to find a practical solution.
Kind regards!

You need to register an API in Auth0 and when requesting tokens send an additional parameter audience=your_api_audience, then you’ll obtain an access token with this audience in JWT format

1 Like

Thanks for your response. As I’ve mentioned, adding the “audience” parameter is not something I can control as the front-end tool doesn’t allow me to edit the pre-configured Auth0 endpoint.

:wave: @DrHariri :slight_smile:

As @phi1ipp mentions, register an (custom) API with Auth0. Then set the Default Audience for your Auth0 Tenant (see here for details) to the Identifier associated with your custom API, and that way you’ll automatically generate an Access Token for the required audience without needing to specify an audience parameter,

Hope that helps :sunglasses:


Thank you for your response and clarification. This seems to be what I want!
Just to be sure:

  • Should I try this with the domain of the front-end tool calling the Auth0 login request OR the “audience” already used within the API settings page on Auth0?


The latter: audience - whether explicitly specified using the audience parameter or implicitly using the Default Audience parameter - is basically the Identifier associated with the (custom) API you’ve defined to Auth0. Whilst Identifier might often look like a URL, it is in fact a URI; whilst not mandatory, Auth0 recommend the use of a URI as an API Identifier in order to mitigate name clashes which might otherwise create potential security issues.

Hope that helps :slightly_smiling_face:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.