getAccessTokenSilently not using correct signing algorithm?


I have a React JS app which implements auth0-react. User-authentication is working properly, however I am encountering a challenge while making a request to my protected Flask API (also using auth0).

My Auth0Provider looks like this:

    clientId={ process.env.REACT_APP_AUTH0_CLIENT_ID }
    domain={ process.env.REACT_APP_AUTH0_DOMAIN }
    audience={ process.env.REACT_APP_AUTH0_AUDIENCE }
    redirectUri={ window.location.origin }

The problem I am facing comes from the access token generated with getAccessTokenSilently method in the React app:

const accessToken = await getAccessTokenSilently({
    audience: process.env.AUTH0_AUDIENCE,

const apiResponse = await fetch(url, {
    headers: {
        Authorization: `Bearer ${accessToken}`,

The Flask API errors out with KeyError: 'kid' because the unverified_header appears to not have been signed correctly. The value of unverified_header is:

# from getAccessTokenSilently
    'alg': 'dir', 
    'enc': 'A256GCM', 
    'iss': 'https://<MY-TENANT>'
    # no 'kid' key

When I manually use the access token given by the cURL method under APIs/my-api/Test/Asking Auth0 for tokens from my application, it works fine and the unverified_header looks like this:

# from cURL API Test method in Auth0 API Dashboard
    'alg': 'RS256', 
    'kid': 'WPQo-m7vuHeK5DZizbQqa',  # <-- has 'kid' key (works as expected)
    'typ': 'JWT'

Maybe Iā€™m missing something simple?

Some more info:

  • Audience (in both React app and Flask API):
    • value from the Identifier section in below image (my API in Auth0 Dashboard)
      Screen Shot 2022-01-04 at 10.53.00 AM
  • Domain (in both React app and Flask API):
    • https://<TENANT_NAME>
  • API Signing Algorithm (in Auth0 Dashboard)
    • RS256
  • API Signing Algorithms (in Flask API):
    • ['RS256']
1 Like

Hi @authgent,

Welcome to the Auth0 Community!

Can you confirm the audience param is being sent successfully with the request? You should be able to see it in the network tab of devtools when you make the request.