JWT invalid signature in Mobile + API (Swift + Django)

Hello everyone,

I’m implementing an iOS application that needs to communicate with a Python/Django backend. For that, I am following the Mobile + API architecture scenario. Instead of Android and Node.js, I am following the iOS Swift quickstart and the Django API tutorial.

The issue is that the access token I receive after logging in is invalid: I cannot decode it using any Python library, since the signature has “wrong crypto padding”.

In my Auth0 dashboard, I have a Native app and a custom API.
My iOS app is the provided Auth0-SwiftUI example app. I log users into my app using the universal login flow.

func login() {
        let credentialsManager = CredentialsManager(authentication: Auth0.authentication())
            .start { result in
                switch result {
                case .success(let credentials):
                  // credentials.accessToken is malformed

As you can see, I ensure I specify the audience matching my API to prevent receiving an opaque token back.
I cannot decode the access token I receive using Python’s jwt package (I can decode the header and the payload separately, but not the full token). I am using my JWKS correctly to get the public key to decode the token with.
When I paste it in jwt.io, it does complain about “invalid signature” (but I think that’s expected?), but I can see the header and payload.
The payload contains the following, among others:

"iss": "<my Auth0 domain>",
  "aud": [
    "<my Auth0 domain>/userinfo"
  "scope": "openid profile email <other scopes configured in the Authorization Extension>",

What am I doing wrong? How can I get an access token that I can use to call my backend API?

Thank you!

Hi there @ferranconde welcome to the community!

Thanks for the detailed description - That’s very odd based on the information you’ve shared, it all looks good at a high level to me :thinking: Do you mind grabbing an example access token generated by your iOS app, throwing it into jwt.io and sharing a screenshot here (redacting any sensitive info)?

If you don’t mind sending me an actual jwt from a test user directly via DM that would be helpful as well :slight_smile:

Hi @tyf , thanks for the quick reply.
I will send you a DM with an actual jwt.

1 Like

Following up here in order to share with the rest of community - The issue ended up being related to a truncated token value when copied from Xcode like so:

There is no issue with Auth0.swift generating tokens, thanks for confirming @ferranconde ! :rocket:

1 Like