You are correct. When you get an access token with
getAccessTokenSilently you are making a request to auth0’s servers to issue an access token.
To understand why, we need to understand more about JWTs. These tokens are signed, which means they include a signature that validates their payload. This is a cryptographic technique that uses a set of public and private keys (asymmetric), or a set of private keys (symmetric) to create a signature that could only be created with a private key. This is why I can’t fabricate a token in a text editor and pretend to be you.
With Auth0, you are likely to be using the default asymmetric signing method, which means the signature can then be validated by an external API or client using the freely available public key.
That brings us to your question, why tokens can’t be issued by your React app. As a client-side application, your React app is unable to store a private key securely. This is because the entire app is sent out to a user’s browser every time someone visits your website. Sending a private key with that app would mean any user could inspect the app and grab the key.
Because of this, you use an authentication and authorization server (Auth0) that authenticates users and apps, issues tokens with up-to-date info, and provides user’s profiles on request. This server also keeps a record of what user’s have authorized which applications, what their roles and permissions are, which applications have access to what APIs, and so forth.