I’ve successfully implemented the Authorization Code Flow to the point where my frontend can log a user in, verify authentication, retrieve user profile information, and retrieve what I understand to be an opaque token by running Auth0Client’s getTokenSilently() method.
However, now I’d like to hit my backend API endpoints with the confidence that the user has been authenticated/authorized via Auth0. From what I understand, opaque tokens are not decodable. How can I do this?
Hi @roamingstars,
Welcome to the Auth0 Community!
An opaque token happens when the audience query parameter is not passed in the login request. See the screenshot below:
If that’s the case, yes, you’re right that they are not decodable. However, you can use them to call the Authentication API’s GET /userinfo endpoint to get the user claims.
However, if you want a JWT access token that your backend can decode and verify, you might try specifying an audience in the /authorize request.
Let me know if you have any questions.
Best,
Rueben
