I’ve successfully implemented the Authorization Code Flow to the point where my frontend can log a user in, verify authentication, retrieve user profile information, and retrieve what I understand to be an opaque token by running Auth0Client’s getTokenSilently() method.
However, now I’d like to hit my backend API endpoints with the confidence that the user has been authenticated/authorized via Auth0. From what I understand, opaque tokens are not decodable. How can I do this?
If that’s the case, yes, you’re right that they are not decodable. However, you can use them to call the Authentication API’s GET /userinfo endpoint to get the user claims.
However, if you want a JWT access token that your backend can decode and verify, you might try specifying an audience in the /authorize request.