Newbie: Confused about Auth0 setting and workflow

Hi there,

I am quite new to Auth0.
I have a SPA application and a backend API (Account API) service protected by Auth0. I have configured SPA to use Auth0 and can login successfully.

However, I have trouble to configure Account API (using Authorize with scope) by JWT Bearer token. I keep getting invalid token error.
So, need help on a couple of things:

• Logged into SPA with requesting scopes: openid profile email app_metadata read:account
  ** read:account is the scope of the Account API

• I have to set Authorization header, with idtoken value before calling the Account API. Did I pass the correct token to call Account API?

I followed up the tutorial and documentation to set up Account API with Authorize(“read:account”). My code is exact like: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi#validate-access-tokens
I think I may miss some settings in Auth0 or I misunderstood something.

Thanks

Hi Dean. In your setup, Auth0 will return two tokens in the authorization response: the ID Token, which contains information about the user and authentication process, and an Access Token.
The ID Token’s audience is the client application itself (the SPA), so that the app can know the information about the user.
The Access Token audience is the backend API, so this is the bearer token that should be used when making requests to the API.
Also, make sure you include audience: "your-api-identifier" in the authorization request from the SPA, to indicate that the application is looking for a token to access the API.

Hi Nicolas,

thanks for your quick respond.
Yeah, I got it working now. confused a couple of concepts.

much appreciated.