How does a backend service validate an access token?

I have an SPA and a backend service which I would like to follow this flow: Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Everything is working except for what happens between Step 6 and Step 7. When my backend receives the access token from the browser, how does the backend validate that access token? I assume, that the backend doesn’t make a call to Auth0 to validate that token because there is no arrow back to Auth0 after Step 6. So, how does the backend know that the token it received is valid?

Hello @rexposadas,

Have a look at the libraries at Many of the libraries will handle some or all of the token validation for you.

There is / was a page in the docs that detailed the steps required for validation, but I can’t seem to find it at the moment.

Thanks for the reply. Would these be the docs you were referring to?

It looks like I need to retrieve a public key from https://your_domain/.well-known/jwks.json in order to validate access tokens.

If I’m reading the docs correctly, then I need to know what “your_domain” is. Where is that domain name set? Is it set when I create the API application?

“your_domain” is your Auth0 tenant domain name, which is the name of your tenant (which you can see in the top right corner of the management console in the drop-down menu… see screenshot below), plus


If you have set up a custom domain name, then use that instead.

I see. I was expecting that the public key be at the application level and not the tenant level. I guess, for me to have multiple environments, I should create multiple tenants say … dev, staging and production.

That’s what we do … separate production and non-production tenants. This can be a challenge to manage however as there aren’t yet really good tools for managing configuration between tenants. Requires a lot of discipline from your Auth0 developers / managers!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.