Receiving JWT access token with one auth0 account, non-JWT token with other. Same code

I have a svelte frontend using the auth0-spa-js library and have a django rest framework backend that I set up according to the quickstart auth0 documentation.

It works perfectly using my personal auth0 account that I was using to test with.

I then got a new domain and email set up, so created a new account for that, to separate it from my personal stuff and pushed it to production.

However, for some reason the token endpoint is returning a non-jwt token.

It’s the exact same code, and it continues to work correctly on my local dev machine with my dev credentials.

This is what my local token response looks like:
{“access_token”:“JWTACCESSTOKEN”,“scope”:“openid profile email”,“expires_in”:86400,“token_type”:“Bearer”}

This is what the production token response looks like:
{“access_token”:“NONJWTACCESSTOKEN”,“id_token”:“JWTIDTOKEN”,“scope”:“openid profile email”,“expires_in”:86400,“token_type”:“Bearer”}

Looking at the request headers, the only difference I can see is that the production headers contain sec-gpc: 1, all other headers, and the body are the same keys and have similar values.

I’ve ran out of ideas, does anyone have any idea?

Hi @jamalmoir,

Auth0 will supply a JWT Access Token when you provide an audience that refers to an API that you have registered in your Auth0 tenant. Otherwise, an opaque token will be returned.

Is the API registered in both tenants?

FAQ: Why is my access token not a JWT? (Opaque Token)

1 Like

@stephanie.chamblee thanks for the reply!

I’m not supplying the audience to either of them.

Following the auth0-spa-js tutorial, only the domain and client id is provided.

This is the code I’m using to initiate the client.

export async function createAuthClient(): Promise<Auth0Client> {
  const client = await createAuth0Client({
    domain: __config__.AUTH0_DOMAIN,
    client_id: __config__.AUTH0_CLIENT_ID,
  });

  return client;
}

I then use client.loginWithRedirect to login a user that has not yet logged in and client.isAuthenticated and client.getTokenSilently to authenticate and grab their access token after login.

This is all linked up to not an API in my dashboard, but to an Application. The API is linked to my django backend, but the non-jwt token is getting passed to that and failing.

OK, so I got it working by initialising the auth0 client with an audience like you said.

What is confusing me though, is that I was still getting a JWT access token without the audience on one of my tenants.

(Also maybe it would be a good idea to add this to the auth0_spa_js tutorial)

I’m glad you were able to get the JWT Access Token! I will pass on your feedback to the docs team. Thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.