Get access_token but cant use to get user information

I followed this tutorial to get access_token Call Your API Using the Authorization Code Flow ( i am using laravel to build API)
But when i dump the response. I got something like this

As you can see, the access_token is really shot, i think it wasn’t encrypted. And i tried to use that token to get user information and it failed.

After this, i cloned repo react in quick start guild and used the same config. And response is different

. Not only access_token was encrypted but expires time has different value too. With this access_token, i can use to get user information.

Hi @manhhoang3151996,

The user’s information can be found in the ID Token. You can decode the token at jwt.io

The Access Token will be returned as either a JWT or an opaque token depending on the audience. If no audience is configured in the client application, then the audience is your Auth0 tenant’s /userinfo endpoint (https://{your-auth0-domain}/userinfo), and the token is opaque.

To get a JWT Access Token that can be decoded, you can pass an API identifier as the audience:

ReactDOM.render(
  <Auth0Provider
    domain={config.domain}
    clientId={config.clientId}
    redirectUri={window.location.origin}
    audience={config.audience}
    onRedirectCallback={onRedirectCallback}
  >
    <App />
  </Auth0Provider>,
  document.getElementById("root")
);
1 Like

Hi @manhhoang3151996,

Would you mind sending an example request (be sure to take out any sensitive info such as a client ID or your domain)? for example:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    audience=API_AUDIENCE& // <-- This determines whether a JWT will be returned for the Access Token
    state=STATE

In the request, if you list the audience as an API identifier of a registered API in your tenant, you should receive a JWT for the Access Token.

1 Like

oh, i read too fast so i skip ** The Access Token will be returned as either a JWT or an opaque token depending on the audience** part. Thank you, i did it :smiley:

1 Like