Auth0 Home Blog Docs

JWT generated by Auth0 via Lock is invalid in



I got into a problem. I’m finalising my API (Laravel) end doing some test. Almost everything goes well. Here the problem:

  • I login with Lock and retrieve the “access_token” and “id_token”.
  • I tried to reuse the id_token to access my API via Postman, then I got a “Unauthorized user”
    -I tried the Postman Auth0 method “Returns a user profile based on the Auth0 access token” to test my tokens: works with access_token (get the user profile), dost work with id_token; get “Unahorized” response. If a log the error in “Auth0JWTMiddleware.php” I catched “CoreException: Auth0\SDK\Exception\CoreException: Signature verification failed in /var/www/vendor/auth0/auth0-php/src/JWTVerifier.php:139”
  • Then I test the id_token in and get “Invalid signature”

I’m stuck, where may I look? May you help me please?

answer after succesful login: https://myApp/auth0/callback#access_token=ppbgMIxXayx4Son9&expires_in=86400&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHBzOi8vYWx0aXR1ZGUtc3BvcnRzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OTUyYWMzZGU2NDBiYzNhOWZhYmJiMGEiLCJhdWQiOiJJNFFvdTdZWjVQUTZqM1A1eXo3TEthR3RzT2lmRTVYUiIsImV4cCI6MTQ5ODcwNDE4MSwiaWF0IjoxNDk4NjY4MTgxLCJhdF9oYXNoIjoiajNrd2w0V0tFSk93d2JjUEFFbDQ5ZyJ9.dR8KamTGQ6I_2CXWfwozRrRU7qCzv6LqUwTsVU-q11k&token_type=Bearer


If you are using the OIDC conformant flows, you should be passing the access_token to your API, not the id_token. I suggest going through our Laravel API quickstart which outlines this:

The reason for the Invalid Signature error on is because you have not decoded the token using the client secret. If you paste your Client Secret in the secret input box under the Verify Signature heading, it should successfully verify.