Hello everyone,
I’m implementing an iOS application that needs to communicate with a Python/Django backend. For that, I am following the Mobile + API architecture scenario. Instead of Android and Node.js, I am following the iOS Swift quickstart and the Django API tutorial.
The issue is that the access token I receive after logging in is invalid: I cannot decode it using any Python library, since the signature has “wrong crypto padding”.
In my Auth0 dashboard, I have a Native app and a custom API.
My iOS app is the provided Auth0-SwiftUI example app. I log users into my app using the universal login flow.
func login() {
let credentialsManager = CredentialsManager(authentication: Auth0.authentication())
Auth0
.webAuth()
.audience(MY_API_AUDIENCE)
.useEphemeralSession()
.start { result in
switch result {
case .success(let credentials):
// credentials.accessToken is malformed
As you can see, I ensure I specify the audience matching my API to prevent receiving an opaque token back.
I cannot decode the access token I receive using Python’s jwt package (I can decode the header and the payload separately, but not the full token). I am using my JWKS correctly to get the public key to decode the token with.
When I paste it in jwt.io, it does complain about “invalid signature” (but I think that’s expected?), but I can see the header and payload.
The payload contains the following, among others:
"iss": "<my Auth0 domain>",
"aud": [
"MY_API_AUDIENCE",
"<my Auth0 domain>/userinfo"
],
"scope": "openid profile email <other scopes configured in the Authorization Extension>",
What am I doing wrong? How can I get an access token that I can use to call my backend API?
Thank you!
Do you mind grabbing an example access token generated by your iOS app, throwing it into 
