SPA SDK access token isn't a decodable JWT?

With the old WebAuth sdk, the access token was a large-ish JWT that included a “sub” parameter, so I could, for example, decode it on my Django API server and use middleware to look up a user record and perform fine-grained app level permissioning in my GraphQL resolvers, etc.

With the new SPA SDK, the access token returned is a short little thing that doesn’t decode as a JWT. The node example here: appears to just be validating that Auth0 correctly signed the token, but there’s no way to get the info out of it.

Am I missing an important bit of conceptual understanding? It’s been a pretty long day.

See here:

To get a JWT, you’ll need to specify an audience.


I’m having a similar issue getting the spa sdk to return a jwt formatted access token. However, I am passing the audience. Are there any code samples available?

You are likely missing the scope=openid parameter. That should return a richer JWT. The shorter access_token is useful to retrieve the user profile. (which would return the sub property too, but would require a new network call)

Your API should always validate the integrity of the token (e.g. signature, expiration, etc).

There was an incorrect audience in the call, so this is fixed. Thanks for your help.

Perfect to hear that @gavindoughtie and thanks for sharing!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.