Can you console.log the access token on server side just for the troubleshooting purpose and check the content yourself? You can confirm if it is a valid jwt by putting it in jwt.io website. It is likely it is an opaque access token and not jwt. If it is opaque then you need to provide an audience parameter while authenticating the user. Check similar thread here UnauthorizedError: jwt malformed in express.js