Hi @hantsy,
Yes, what you have observed is called an opaque token. This happens when the Auth0 audience is omitted from the authorization request. The token is still valid but is not considered a JWT token.
To generate a JWT token, you must specify the audience query parameter in the authorization request.
The telltale sign that the access token is not a JWT is when the audience is omitted, and you can’t decode it on jwt.io. Instead, it only works against the `/user info endpoint.
Thanks,
Rueben