Auth0 Home Blog Docs

Rudimentary question about access_token and communicating with API


#1

I’m now implementing Auth0 in my ASP.NET Core/React app after switching from other solutions.

I understand that I use the access_token to gain access to my backend API methods and looks like once I get my access_token, I’d then call auth0.client.userInfo() to get user profile info into my front end app – in my case React app.

Where I’m a bit confused is that in the previous solutions that I used, the token that I sent to backend API not only provided access to my API methods but also provided claims that provided user data.

It’s easy enough for me to send user info in my API calls by including them in the body of my POST calls but is this secure enough? I thought sending user data e.g. id, first, last name, etc. was more secure when sent through the JWT token.

Am I making the wrong assumption? Maybe I’m missing something about sending user data. I’d appreciate some clarification about the standard workflow to follow in communicating with backend which will require sending user Id, first and last names.