Token format used in auth0-spa-js

Is sdk auth0-spa-js using id token? I’m utilizing auth0-spa-js with redirect method. From what I saw in the method handleRedirectCallback, it simply decode id token from the authResult and cache it.

    const decodedToken = this._verifyIdToken(
  authResult.id_token,
  transaction.nonce
);
const cacheEntry = {
  ...authResult,
  decodedToken,
  audience: transaction.audience,
  scope: transaction.scope
};
this.cache.save(cacheEntry);

But from this article https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis, I think it’s recommended to use access token to access various endpoints.

Does what the sdk did mean that we should use id token for both user information and api access verification? Thanks for any help.

Is sdk auth0-spa-js using id token?

The SDK gets back an Access Token and and ID Token.

The ID Token is meant to be consumed on the client (for authentication). It’s not meant to be used for authorization against an backend/API.

The Access Token is never read/consumed by the client, but only meant to be passed on to the backend/API to be used there for authorization.

The Access Token is available to the developer as JWT, while for the ID Token, the SDK already decodes it and provides the payload (content, user profile information), but not the raw JWT (at least not at the moment with the current version of the SDK).

I think it’s recommended to use access token to access various endpoints.

That is correct.

Does what the sdk did mean that we should use id token for both user information and api access verification?

No, don’t use the ID Token for API access / authorization. Use the Access Token for this instead. You can see the example on https://github.com/auth0/auth0-spa-js under “2. Calling an API”.

General docs on the difference token types:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.