How to Stop Getting JWEs when JWT is Required

travis.evers · October 14, 2024, 6:29pm

Overview

When calling /oauth/token, a JSON Web Encryption (JWE) token is received when a JSON Web Token (JWT) is desired. This article explains the steps required to get a JWT.

Applies To

Resource Servers
APIs
Access Tokens

Cause

Whether a JWE or a JWT when calling the token is returned is configured at the Resource Server/ API level. See Configure JSON Web Encryption for more information.

Solution

Check the audience being passed in the requests.

See Get Access Tokens for more details.

Whichever API’s identifier is being used as the audience parameter would need to be changed to toggle off JWE as per the documentation here:

See Configure JSON Web Encryption for more information

Please note that if no audience is provided, Auth0 will issue an opaque token instead, which is only intended for use with the tenant’s /userinfo endpoint as described in the following documentation

Control Access Token Audience

Topic		Replies	Views
Decode JWE's access token Help sessions , authentication-sessions	3	5902	June 13, 2023
Getting JWT Access Token instead of Opaque Token from /oauth/token with Authorization Code Flow Help jwt , access-token	4	4316	September 5, 2020
Authorization code flow returns opaque token instead of JWT even though audience is set Help jwt , api	10	4423	November 26, 2021
Encrypted JWT's (JWE?) with Lock Help jwe	2	7768	March 2, 2018
JWT and JWE tokens Help missing-category , other	4	761	February 27, 2024

How to Stop Getting JWEs when JWT is Required

Overview

Applies To

Cause

Solution

Related Topics