JWT access_token "invalid" issue with jwt.io debugger (if no audience specified)

Just wanted to say I spend several hours today debugging the same issue as here: Empty payload in accessToken is not valid

From the API specification (Authentication API Explorer), “audience” isn’t a required field yet if you don’t add it, then your JWT is basically worthless.

I propose either: (1) updating docs to make “audience” a required field or (2) changing the status code of response without “audience” to indicate the JWT doesn’t contain a payload

I want to add a clarification as I continue diving down the documentation rabbit hole.

If you don’t specify ‘audience’ it appears you receive an “opaque token” rather than JWT. This actually is still very useful but, instead of locally decoding it, you send it as a bearer token to {auth_server}/userInfo which gives you the user’s information.

Somewhat obviously, this would not give you access levels to the API because you didn’t specify which API you want to learn about so Auth0 doesn’t just tell you every possible door that token can open (good!).

Hey there!

Thanks for creating this feedback card and providing all that context! Make sure to upvote your card so that it attracts as much attention as possible from other community members! We review those on a monthly basis and we’ll let you know as soon as we have updates for you!