Necessary to validate JWTs using Auth0 Single Page App SDK

When using Auth0 Single Page App SDK, I’m grabbing the user information including the sub id using await auth0.getIdTokenClaims() on the front-end. Is it then okay to send this sub and other info in a post request to my API which will then query my database and return user sensitive data?

Or is it better to only send the __raw JWT token from auth0.getIdTokenClaims() and validate that on my back end server before grabbing the information to query my db?

Hi @shellmac

You should send an Access Token to the API. The access token should have the sub claim and you can add other info if needed.

Do not send an ID token, and don’t call your API without an access token.

Validate the access token carefully.

John

Thanks for the reply @john.gateley. I’m looking at the instructions under “Call an API” section here and it looks like we are sending the access token in the header of the request, but how are we sending the unique sub claim to the server? When I call and log await.getTokenSilently( ) as the tutorial shows, I do not get a JWT, instead it’s a 32 char string. Do you mean that if I pull this access token from the header and decode it on the server, I can get the sub claim from this string somehow?

If that’s the case, from a security perspective, how is this different from sending an id token in the body of a post request to my server and then validating this JWT on the backend with the public key to get the user info/sub claim to use for my db?

Also is this resource (https://auth0.com/docs/quickstart/backend) a good starting place to find how to implement what you are talking about?

Hi @shellmac

The access token you are seeing is an “opaque access token”, not a JWT. You need to specify an audience in order to get a JWT.

The quickstart is an excellent place to start.

John