INVALID TOKEN SIGNATURE at JWT.IO after trying an SPA example

Hello !!!

First post Here !!

We are trying to set up auth0 authentication + authorization in our “regular API project”

We started by creating a SPA application with the help of auth0 page, which gives the code already setp up with domain / audience.

The login is SUCESSFUL. But when we get the user that and print the token, and paste it in JWT.IO, it does not look valid. It warns about “BAD SIGNATURE”

The SPA samples seems to have an"API SERVER" running at 3001 appart from the login app at 3000 (we are using REACT).

From my understanding, SPA projects are expected to ask for the token directly and not for a code since they wont have a back end while regular api ones are expected to negotiate a code an them send to the back end to exchange it by a token

Also I was told that the token is broken because it is encrypted. I know it is SIGNED, but coudnt find any info about encription. I was told that because, otherwise, you are under risk of someone trying to edit the permisions array.

What we are missing ? The idea is to have a look at the token, and see the permisions array and test it with multiple users (with different roles / permisions). But JWTis not validating it.

Many thanks,

Have a great day.

Pedro.

Hello @paste welcome to the community, apologize for the delayed response!

Were you ever able to get this sorted? Do you mind sharing your Auth0Provider code from the React sample app? It’s hard to know exactly what could be going on but I have some suspicions.

Let us know either way!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.