Opaque Access Token and Authorization Code Fixed Length

I have a notice from Auth0 that the Access Token will be changed from Fixed Length to Variable length.

So I’ve some concerns and can not find the answer in any topic:

  1. Is that only impact when I use the GetAccessToken without an audience?
  2. What is the min and max length of the access token when we use it with an audience? As far as I know, when we use it with an audience, the format will be JWT, so the length should be too much.
  3. For the guideline from Auth0, I just need to turn off the toggle Fixed Length of Access Token & Authorization Code, and perform testing to make sure our app still working as normal. If the testing is okay, we can be confident that our app and Auth0 integration will work as normal after Apr 12, 2022?


JWT (tokens that are returned when you pass an audience) lengths have always been variable. This change effects opaque tokens (tokens returned when you don’t pass an audience).

The OAuth spec RFC6749 does not specify a min or max length for access tokens and we do not have a published min or max for JWT tokens.

The toggle will essentially give you a preview of the changes coming in April. On that date, the toggle will remain in the off position. I can’t speak directly to your implementation, but this should give you the time and opportunity to ensure the there aren’t issues.

Hope this helps!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.