JWT best practice and understanding

Dear all,

I have an SPA (React) and a back-end API (Python), and I use a JWT access_token to authorize the client to use the API.

My requirements in the back-end are: authorization to access the API, and identification of the user (simply accessing an id that can be used to query our own database).

In order to be fast, I implemented the 2 steps with the same access_token, by implementing a rule to add the id in the access_token. This allows me to save some time by not further querying the /user-info endpoint to identify the user once authorized.

Nonetheless, in this article, I found the following advice:

Access tokens must never be used for authentication

I think this is meant to provide advice for the application and not the API, but I wanted to be sure. So, here is my first question:

  • is putting an id (not really sensible information) in an access_token to identify the user in a back-end API ok?

I have also another question regarding JWT.

The access_token, if I understand well, is generated by Auth0 using a secret key (from the tenant - used to sign the token) and provided to the client on Login. Then, the validity of this access_token is verified in the back-end using the public key of the tenant.

So, what I cannot explain is that jwt.io can verify the signature of a token without any information (given by the user) on the public keys.

  • How can jwt.io verify the signature of a token without any information on the public keys? Are they fetched automatically from the iss field of the token?

I thank you very much for your time and answer

Hi @HuG

You can put a user ID in the access token. It describes WHO the authorization is for.

The verification key is publically available: Locate JSON Web Key Sets



Hello @john.gateley

Thank you very much for your answer. It answers the doubts I had perfectly.

Have a great day


No worries, we are here for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.