I’m totally new to JWT and most auth. Right now I have a front-end which has Auth0’s universal login integrated. On callback, I obtain the auth token via auth0Client.getTokenSilently(). This token is 505 characters long, and contains a mixture of alphanumeric characters and .'s. I pass this to my…

Ah! I think I see where the confusion lies! Let me see if I can clarify :sunglasses: Firstly I’d recommend reframing your perspective. Previously in the thread (see here for details) I mentioned that Auth0 typically generates two types of token: an ID Token and an Access Token; the former intended …

JWT token is "invalid signature"?

Help

tyf May 2, 2023, 2:14am 3

Hey again!

You’re on the right track!

My guess is that this token is missing the audience - If you do not specify an audience (aud claim) then the access token you get back will be opaque (not a jwt). That is, it cannot be decoded but can be used against the /userinfo endpoint. Some more on that here:

And a helpful FAQ on audience in general:

Hope this helps!