Posting my solution for ref:
In general to get the Sub claim you must verify and decode the JWT (there are a lot of libs, including the one above, that do this). The specifics of which are covered in many other places.
If you are getting an opaque string as your access token, you must include an audience/aud claim when getting the token. That aud will be the identifier from an API in your dashboard.
For example in my code, this is the options I pass when making a instance of the Auth0 client:
let auth0Client = await createAuth0Client({
domain: config.domain,
client_id: config.clientId,
audience: "literallyAnyString",
});
Where “literallyAnyString” is the identifier that you assigned when making the API
(Auth0 implicitly suggests the url of the API, but it can be… literally any string)
This will ensure you are now sending access tokens as JWTs.
Example of where you will/would have set the identifier:
You can also find it at the API screen:
