Introspection endpoint for Opaque tokens or more flexible rules to get clear JWT access token

By default, Auth0 provide opaque access token instead of clear JWT Token.
Auth0 should also provide introspection endpoints.

By default here means: when the ‘openid’ scope is requested and/or when no audience is passed and/or when the /userinfo endpoint is used as audience - which is the required one for Login feature on Native app for example.
Such Opaque token cannot be used to read claims, especially permission related one(s) from other middlewares such as API Gateway product.
Most (if not all) api gateway product only support clear JWT Tokens. Some of them support external introspection endpoints to introspect opaque tokens, but since Auth0 do not provide any, this kind of support is not possible.

Use-case: Standard API protection by JWT validation & introspection

Since having opaque tokens is not a standard but something imposed by Auth0, Auth0 must provide introspection endpoints so that 3rd party middleware can rely on Auth0 to validate & introspect the tokens when verifying access rights.
If this is too complicated, Auth0 should at least provide us a simple and convenient way to get a clear JWT access token with all permissions when login into an application (mobile application for example) - please read this thread for more details about the use case.

If you would like to have such feature (introspection endpoint) or a simpler way than now to get a clear access token, please vote for this feature request.

Thank you for the detailed feedback @nvivot!

anybody integrating from CommerceTools will need this feature.

Is it on roadmap at all?

Hey there!

It’s not on the roadmap yet as it hasn’t received enough feedback and upvotes compared to others features taken into account.


Hi, any recent update on this feedback from Auth0?

1 Like


This is an absolute requirement because privacy is key so we cant send jwt access tokens all over the place. Typicaly opaque tokens should be used and within a secure perimeter introspect them and get access details.

Please we need this feature.


1 Like

I think you need this feature too.