SPA + API issue with JWT token

I have a simple React app + backend. I want to use an auth0 JWT to authorize API access in the backend.

I have read this tutorial, especially SPA Angular 2 Implementation (SPAs + API)

The issue is that I always get an opaque token, never a valid JWT so I can’t use it in the backend.

I have configured a single page application and an API in the Auth0 dashboard.

I get the token like this:

    const token = await getAccessTokenSilently({
      authorizationParams: {
        audience: ``,

I double checked that the audience is the same as set in the API in the dashboard. It doesn’t work, what am I missing here?

I tried dozens of APIs and audiences including my “” URL, and none returned an actual JWT. Please provide guidance.

Even examples under here look like my code auth0-react/examples/ at 6bf58e8b89f3ed49b1fbf701aee7d9088f4ccedb · auth0/auth0-react · GitHub

Hey there @alexxx welcome to the community!

In your call to getAccessTokenSilently are you attempting to get a token for a different audience than specified previously? In provideAuth0 for example:

import { bootstrapApplication } from '@angular/platform-browser';
import { provideAuth0 } from '@auth0/auth0-angular';
import { AppComponent } from './app.component';

bootstrapApplication(AppComponent, {
  providers: [
      domain: '{yourDomain}',
      clientId: '{yourClientId}',
      authorizationParams: {
        redirect_uri: window.location.origin,
        audience: '{your_api_audience}'

Here is our Angular quickstart for reference.


I’m requesting the same audience:

import {Auth0Provider, withAuthenticationRequired} from '@auth0/auth0-react';
// ...
        audience: '',
      <Outlet />

I’ve already looked at the Angular tutorial and seems to do the same things.

The odd thing is I get ApolloError: Login required and a redirect when I run the getAccessTokenSilently part. So it feels like it’s not using the session I created by logging in.

It redirects my app to /authorize and I can see the request contains the right audience in the parameters.

Found the bug :man_facepalming: in the code above, props from a higher level component was overriding my authorizationParams.

One more question: do my users have to register and then also accept that OAuth prompt to share email/name? It sounds like a duplicated UX and more attrition for the signup.

1 Like

@tyf did you have any opinion about the above question? Thanks!

1 Like

That’s correct - Unless the application is first-party with Allow Skipping User Consent setting enabled: