Auth0 Home Blog Docs

How to obtain JWT access token for my own API via authorization code grant type?



After my users authenticates using google connection via /authorize endpoint, I obtain the authorization code which I then use to obtain the access_token from /oauth/token endpoint. However, the access_token that I get back is a 32 characters long string not in JWT format. I tried sending audience as an additional parameter to /oauth/token but still not getting properly formatted access_token.

How can I get an access_token in JWT format?

EDIT: The 32 character access_token is used to obtain user_info for authenticated user. However I also need a JWT token for that same user to they can access my API endpoints.


You were in the right track with the audience parameter, however, for the authorization code grant the audience parameter will need to be specified when you perform the request to the /authorize endpoint.

The code you receive from the authorization endpoint response will represent the grant provided by the end-use to the requesting client application and as such it will also have an association to the audience requested through the authorization endpoint. This will then result in an access token suitable to the associated API when you exchange the code for the tokens at the token endpoint.

At this time, access tokens issues for your own API’s do use the JWT format as that allows the API to validate the token by itself. However, just as additional information, nothing mandates that this needs to always be a JWT so in the future other formats, from which you could choose, may be supported.