Id_token expiry/correct use of access token


I’m having trouble getting my head around how users access to my API expires/renews. I’ve followed the quickstarts whereby my SPA sends the User to the hosted login screen, which then returns the User to the callback page, with the access token and id token.

When the SPA makes requests to my API, it sends the id token in the request’s “Authorization” header - the access token that the SPA receives is not a valid JWT - which the API verifies against the jwks file on my Auth0 domain. On verification, the API then uses the subscription field on the id token to find the User in its database.

Is this correct workflow? How is token expiry managed? It feels like once anything that makes calls to my API has a valid id token, it can make calls indefinitely.

sorry, it looks like i was following the wrong quickstart!

should have been using implicit grant:

Glad you were able to figure this out!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.