Is sdk auth0-spa-js using id token? I’m utilizing auth0-spa-js with redirect method. From what I saw in the method handleRedirectCallback, it simply decode id token from the authResult and cache it.
The SDK gets back an Access Token and and ID Token.
The ID Token is meant to be consumed on the client (for authentication). It’s not meant to be used for authorization against an backend/API.
The Access Token is never read/consumed by the client, but only meant to be passed on to the backend/API to be used there for authorization.
The Access Token is available to the developer as JWT, while for the ID Token, the SDK already decodes it and provides the payload (content, user profile information), but not the raw JWT (at least not at the moment with the current version of the SDK).
I think it’s recommended to use access token to access various endpoints.
That is correct.
Does what the sdk did mean that we should use id token for both user information and api access verification?