JWT "alg" field mismatch issue with Auth0 and Python backend


I have an issue regarding the JWT tokens I’m getting from Auth0 and how I’m trying to decode them on my Python backend using PyJWT. I have set my Auth0 application to use the HS256 signing algorithm. However, the JWTs I’m getting seem to be using the “dir” algorithm and “A256GCM” encryption, according to the JWT header:

“alg”: “dir”,
“enc”: “A256GCM”,
“iss”: “https://dev-scw75shlt3zj7drj.us.auth0.com/

When I try to decode this JWT on my Python backend using the HS256 algorithm, I’m getting the error “The specified alg value is not allowed”. I understand this is because of the mismatch between the algorithm used in the JWT and the one I’m trying to use to decode it.

However, I don’t understand why the JWT is using the “dir” algorithm in the first place. I’ve checked my Auth0 application settings, and I’ve confirmed that I’m using the HS256 signing algorithm. I’ve also made sure that “OIDC Conformant” setting is turned off.

Here’s the code I’m using to get the token:
const { isAuthenticated, loginWithRedirect, logout, getAccessTokenSilently } = useAuth0();

const login = () => {

watchEffect(async () => {
  if (isAuthenticated.value) {
    const token = await getAccessTokenSilently({
      audience: 'A5BKrZ6Ipu8mtitkYoWHted4xqrFT3q7'
    axios.post("http://localhost:3000/register", {}, {
      headers: {
        Authorization: `Bearer ${token}`
    }).then(response => {
    }).catch(error => {

Here’s the code I’m using to decode the JWT:
@app.route(‘/register’, methods=[‘POST’])
def register():
auth_header = request.headers.get(‘Authorization’)
if not auth_header:
raise Unauthorized(‘No Authorization header provided.’)
bearer, _, token = auth_header.partition(’ ')
if bearer != ‘Bearer’:
raise Unauthorized(‘Invalid Authorization header.’)
payload = jwt.decode(token, os.environ[‘AUTH0_CLIENT_SECRET’], algorithms=[‘HS256’])
except jwt.InvalidTokenError as error:
raise Unauthorized(‘Invalid token.’)
user_id = payload.get(‘sub’)
if not user_id:
raise BadRequest(‘No user ID in token.’)
users[user_id] = request.json
return jsonify({‘message’: ‘User registered successfully.’})

Hey there @dengziyang77 welcome to the community!

I believe this is the result of requesting an HS256 token without an audience. Are you passing an audience param to loginWithRedirect() or any other form of invoking an authorization call?

Let us know!

Thanks for your answer!
I added the audience,but the result doesn’t change.

1 Like

By the way, do we have an example of login in a frontend-backend separation pattern? I assume there should be many cases like this, but I couldn’t find any tutorials on auth0.

1 Like

Thanks for getting back to me, happy to help!

Interesting - I’m not able to reproduce using the Management API identifier(https://your_domain.us.auth0.com/api/v2) as the audience - The Management API is by default set to use RS256 so the token returned should be RS256 regardless of application settings.

In this flow, are you looking to get a Management API access token? Typically, you’d be requesting a token with an audience set to your own API identifier as defined when you create an API in your dashboard. If you use your own API identifier which represents your backend in this architecture I believe you should receive a valid HS256 token. I might also mention that applications of type SPA created in auth0 will by default have the signing algorithm set to RS256 which is recommended.

The React sample does contain a sample API - It’s a Node implementation but should help in terms of a basic example of the pattern.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.