I am quite new to Auth0.
I have a SPA application and a backend API (Account API) service protected by Auth0. I have configured SPA to use Auth0 and can login successfully.
However, I have trouble to configure Account API (using Authorize with scope) by JWT Bearer token. I keep getting invalid token error.
So, need help on a couple of things:
Logged into SPA with requesting scopes: openid profile email app_metadata read:account
** read:account is the scope of the Account API
I have to set Authorization header, with idtoken value before calling the Account API. Did I pass the correct token to call Account API?
Hi Dean. In your setup, Auth0 will return two tokens in the authorization response: the ID Token, which contains information about the user and authentication process, and an Access Token.
The ID Token’s audience is the client application itself (the SPA), so that the app can know the information about the user.
The Access Token audience is the backend API, so this is the bearer token that should be used when making requests to the API.
Also, make sure you include audience: "your-api-identifier" in the authorization request from the SPA, to indicate that the application is looking for a token to access the API.