JWT token from auth0-spa-js and passwordless login

Recently for my web-based JS app I tried to use auth0-spa-js and universal login passwordless classic template for authentication. I needed a JWT with email scope so I could use it to authenticate directly to restdb.io, identifying the user.

I could not find a way to finish up with a JWT, which I needed for the restdb calls. I could use getTokenSilently to get a token after login but that seemed about it and it wasn’t a JWT.

I couldn’t find documentation that closely matched what I was trying to do.

I have now got around it by throwing out auth-spa-js and using auth0 lock passwordless in my app and getting the idToken JWT from that. Since that was documented.

So two remaining questions:
What does the lock code do in the manage Auth0 Universal Login setting code do now that I call the lock from my own code? Is it ignored?

Was there something I was missing about auth0-spa-js in my first attempt? It seemed I should have been able to get a JWT to my JS web code at some point but just couldn’t find out how.

Hello, @rwoodnz! Welcome back to the Auth0 Community

I think I know what might be going on here.

In Auth0, access tokens can be issued in two ways: opaque tokens, or JWT tokens. We issue opaque tokens when the audience for the token is an Auth0 API, and we issue JWTs when the audience is anything else but an Auth0 API. The default audience for an authentication transaction if it’s not specified is an Auth0 API.

In this case, I think you were getting an opaque token because you were not specifying an audience. Could you please confirm my assumption? If so, then, specifying an audience at the beginning of your authentication transaction should solve the issue.

Finally, bear in mind the concept of an audience: the party who the token is intended for - in this case, the resource server that is going to use it should be specified. If it’s not yet listed in Auth0, you should go in your Dashboard and create it under the APIs section.

Let me know if this helps!