Implementing Secure Communication Between Android App and Backend Using Auth0 and JWT Tokens

I am new to auth0 community and auth0 as a whole.

I have developed an Android application that utilizes Auth0 for user authentication and authorization. While Auth0 manages user accounts and credentials, I need to store additional user data on a backend server.

My goal is to establish a secure communication channel between the Android app and backend server, ensuring that only authenticated users can access and interact with the backend resources. I intend to achieve this by using the JWT token obtained from Auth0 during login to authorize requests from the Android app to the backend server.

I followed some articles and found out that I have to create API for the backend application in auth0 and then set it as audience in order to consume the token ( validate the token against my endpoint). It was not clear WHY I need to do it. But I just followed along.

And am I going in right direction?
Also can someone explain how does the backend validate the token? Does the backend send the token to auth0 or does it just compare the audience of the token?

Hey there @TakshakBist-PL welcome to the community!

Yes, you’re on the right track by setting the audience for the Auth0 API. This ensures that the JWT token is issued for your backend, preventing unauthorized access from other services.
The backend does not send the token back to Auth0. Instead, it validates the token locally by verifying the signature and checking the claims like aud, iss, and exp.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.