With the old WebAuth sdk, the access token was a large-ish JWT that included a “sub” parameter, so I could, for example, decode it on my Django API server and use middleware to look up a user record and perform fine-grained app level permissioning in my GraphQL resolvers, etc.
With the new SPA SDK, the access token returned is a short little thing that doesn’t decode as a JWT. The node example here: https://github.com/auth0-samples/auth0-react-samples/blob/master/02-Calling-an-API/server.js appears to just be validating that Auth0 correctly signed the token, but there’s no way to get the info out of it.
Am I missing an important bit of conceptual understanding? It’s been a pretty long day.