I get the error "The generated token is too large. Try with more specific scopes"

Question: I keep getting the error “The generated token is too large. Try with more specific scopes” when working with JWTs. What do I need to do?

Answer

One common cause is a NON-OIDC conformant application requesting profile scope, causing the size of the ID Token to be bigger than allowed. This is because Non-OIDC clients return complete user profiles when the scope profile is requested.

The other possibility of increased token size is when a lof of custom claims are inserted in the rules/hooks or actions.

The maximum allowed size for an ID or access Token is around 3.5kb. However, this limit applies when the ID or Access Token is returned on the callback URL. Some browsers don’t support longer URLs; having this limit helps avoid unexpected browser-specific issues.

There are a few things you can do to fix:

  • We return the access and ID tokens primarily in the implicit flow for SPAs or if you are explicitly asking token or id_token along with a code. For the first case, you may migrate your application from the Implicit Flow to Authorization Code with PKCE flow following our SPA samples. Then the ID and access tokens will be received by the code exchange on /oauth/token endpoint call, which doesn’t have this token size limit.
  • Make the client application OIDC Conformant: https://auth0.com/docs/api-auth/intro
  • Remove unnecessary scopes
  • Check Rules if the ID /Access Token is getting assigned big variables.