Auth0 Home Blog Docs

Issue validating a token with express-jwt



I followed the tutorials for React and JWT in Nodejs. I’m logging in using Auth0 Lock from the Front End, I get the ID Token, then I make a request to my nodejs server passing the id token in the header, but I get

UnauthorizedError: secret or public
key must be provided
at /project/node_modules/express-jwt/lib/index.js:102:22
at /project/node_modules/jsonwebtoken/verify.js:27:18
at _combinedTickCallback (internal/process/next_tick.js:67:7)
at process._tickCallback (internal/process/next_tick.js:98:9)

This is the request

axios.request({ // url:
’/api/public’, url: ‘/api/private’,
method: ‘POST’, headers: {
“Authorization”: Bearer ${auth.getToken()} } })
.then(res => {
debugger })


The error in question (secret or public key must be provided) indicates that this is likely an incorrect configuration of the express-jwt library, more specifically, not providing the secret or public key that the library should use to validate the token.

You did not provide sufficient information to confirm if the above theory is correct or not so if you don’t detect anything that could be possibly wrong with the way you configured express-jwt then I would recommend that you update your question with additional information.


I decided to validate and analize the token I get from Auth0 (client side) and I noticed that the quickstart tutorial for Single Page App and Backend / API are different.

Basically, the Backend / API tutorial doesn’t tell you how to make the request and how to create the JWT token. I suppose that you just send the token that you get from the client side (base on Single Page app quickstart) but I get that error.

This is the code you get from the Backend / API quickstart

const checkJwt = jwt({ //
Dynamically provide a signing key //
based on the kid in the header and
// the singing keys provided by the
JWKS endpoint. secret:
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: https://{DOMAIN}/.well-known/jwks.json

// Validate the audience and the
issuer. audience: ‘{API_ID}’,
algorithms: ‘RS256’] });

But that secret key doesn’t match that you get from the client side. Instead, you have to pass the secret key from you client config, like

secret: {CLIENT_SECRET_KEY} });

Then, it works

So confuse those quickstarts


Could you elaborate on this a bit? Are you saying the secret param should have the Client Secret from your client console?


I have also run into this issue.


I have also run into this issue.


I had the same issue - ionic 2 - api code complained - secret or public key must be provided
I found that the issue was- the bearer token was sent with doublequotes
Bearer “dssnjdskiei…” my original code that was causing this was
’Authorization’, ‘Bearer ’ + window.localStorage’access_token’]
had to change the above line to
’Bearer ‘+ JSON.parse(window.localStorage’access_token’])
JSON.parse removed the double quotes and it worked


Thanks for pointing that out! Looks like I ran into the exact same problem and this solved it.