Auth0 Home Blog Docs

How to remove access token from URL

#1

I set my callback URL to https://authtester.azurewebsites.net/home, that part works, my home page gets loaded after auth. What I dont like about it is appearance of access_token in it. How do I prevent it from showing? (I have changed a few values in the token to make it useless to anyone)

https://authtester.azurewebsites.net/Home#access_token=[ACCESS_TOKEN]&scope=openid&expires_in=7200&token_type=Bearer&state=edJszHPBMfahLdhIBM9AltPT2gkXVBue&id_token=[ID_TOKEN]

#3

First of all, please avoid pasting access tokens or ID tokens in a public forum; it’s possible to redact/change them in a way to be somewhat okay to share them, but in general avoid going down that route so I’ll just edit your post to contain placeholders.

Based on the response you’re getting your application performed a request that used response_type=token+id_token and a response_mode=fragment (or did not specify a response mode as fragment is the default for this response type).

In order to not have tokens in the URL, you need to use a different response type or different response mode. For example, either just response_type=code or response_type=token+id_token&response_mode=form_post would technically remove tokens from being present in an URL, however, your application would now need to support handling responses in accordance to those parameters.

#4

Thanks jmangelo. Much appreciate it.