But this means that when I authenticate, I get a short, non-JWT string as my access token.
You need to register your API and use its API identifier as the audience in the authorize request (not https://myauth0domain/userInfo).
https://auth0.com/docs/microsites/protect-api/protect-api
I had just answered a very similar question yesterday, here is the answer to that:
You shouldn’t have to deal with any of the prompt/consent explicitly in any way. This should work out of the box with silent authentication (where such is suppressed due to automatically using the prompt=none parameter in the background).
- is it just a matter of correctly configuring my hosts file so that I no longer get the consent_required error?
That should not be related. It’s probably more related to the configuration of the authorization request done by auth0.js. Maybe you could provide the code how to initialize the webAuth object and call the authorize request, incl. all parameters used.
Note that we also have excellent SPA quickstarts for authentication and authorization. Depending on the tech stack you’re using, these might be a good start to also review the code in there as reference.
Side note: if you’re developing a new SPA, it might make sense to go with the newer auth0-spa-js rather than auth0.js, because it makes the integration even easier, and also supports Silent Authentication. See