Got ID Token Using Server-Side Auth0 on Node.js - But Now What?

Hi, I’ve (nearly) successfully implemented a passwordless auth flow on Auth0 but am stuck at what I hope is the final step.

I’m using a server-side solution because I have a custom auth flow, where the passwordless email code is only sent if the email in question satisfies some conditions in Salesforce (I’ve already completed this part - this is just for context regarding why I am doing it this way).

As such, I’m doing this in Node.js using the import {AuthenticationClient} from 'auth0' on Node.js (it’s a Next.js app but this is a serverless API function).

My code (once I post the email and verification code from the user after email was previously validated in Salesforce):

import {AuthenticationClient} from 'auth0'

const loginAuth0 = (code,email) => {


  const auth0Options = {

    domain: process.env.AUTH0_DOMAIN,

    clientId: process.env.AUTH0_CLIENT_ID,

    clientSecret: process.env.AUTH0_CLIENT_SECRET



  const auth0 = new AuthenticationClient(auth0Options)


  return auth0.passwordless.signIn({otp:code,realm:'email',username:email}, function (err,message){

      if (err) {

        console.log("Auth0 Error", err)



        console.log("Auth0 Message", message)




What I get back is something like this:

 access_token: 'tc6bBBz4YcDQQfhTHN0DGLBCd1aGcXNM',
  id_token: 'eyJhbGciOiJSUzI1N...',
  scope: 'openid profile email address phone',
  expires_in: 86400,
  token_type: 'Bearer'

This to me looks like a JWT, but I’m still server side here. If I want to return this to the client and have them use this JWT (the ID token I believe) to then validate the token and access protected routes on the client, then how do I do that? Basically, what do I do with this token I’ve gotten from the code above from the Node lib? I know Auth0 has a SPA SDK and other tools, but I don’t see a way to start a “session” for the client when I already have the id token, especially because a lot of those libs or SDKs seem to assume a workflow, such as Universal instead of the way I’m doing it here. Do I need to validate manually with something from here - When I paste my id_token in here it says it is valid, so that seems fine, but how about token storage? If I’m not using the SDK because of how I’ve gotten the token, it seems I may run into problems with storing the token securely. Any pointers here would be great, thanks so much!