In the Authorization Code Flow, how can I let my backend know a user is authenticated and authorized?

I’ve successfully implemented the Authorization Code Flow to the point where my frontend can log a user in, verify authentication, retrieve user profile information, and retrieve what I understand to be an opaque token by running Auth0Client’s getTokenSilently() method.

However, now I’d like to hit my backend API endpoints with the confidence that the user has been authenticated/authorized via Auth0. From what I understand, opaque tokens are not decodable. How can I do this?

Hi @roamingstars,

Welcome to the Auth0 Community!

An opaque token happens when the audience query parameter is not passed in the login request. See the screenshot below:


(Reference: Get Access Tokens - Control Access Token Audience)

If that’s the case, yes, you’re right that they are not decodable. However, you can use them to call the Authentication API’s GET /userinfo endpoint to get the user claims.

However, if you want a JWT access token that your backend can decode and verify, you might try specifying an audience in the /authorize request.

Let me know if you have any questions.

Best,
Rueben

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.