Token in appSession cookie cannot be decoded

We are using nextjs auth0 SDK to integrate: GitHub - auth0/nextjs-auth0: Next.js SDK for signing in with Auth0

However, the appSession cookie (with value eyJhbGciOiJka…) generated from it does seem to be in JWT format, which also looks to be much longer, and our backend could not decode it.

May I ask any idea why? And how should I decode the token?
Thank you!

Hi @williamwjs,

The appSession cookie is an encrypted cookie. You can decode the token header, but that is the only info available:

{
  "alg": "dir",
  "enc": "A256GCM",
  "iat": 1617803479,
  "uat": 1617803480,
  "exp": 1617889880
}

Would you mind providing more context around your use case to see how I might help you get the info you need? Thanks!

@stephanie.chamblee Thank you for your reply!

May I ask which header are you referring to?

Through the SDK, it callbacks with http://localhost:3000/api/auth/callback?code=…&state=…
And I only saw Set-Cookie in the response header, which having the appSession that is un-decodable

I was referring to the part of the token before the first period. For example, if you paste this token in jwt.io/, you’ll see the header decoded, but not the payload:

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaWF0IjoxNjE3ODAzNDc5LCJ1YXQiOjE2MTc4ODE3MjUsImV4cCI6MTYxNzk2ODEyNX0..TIKxzG4pPsaR94xs.OcYKxDstl98CUxx9NfgjfBMNwjxChdT8CPP0ieAW6ODsBXBFaoPCIgBwGrZMxzDctd2nQs0eG52q1FGynbh4zmD1__Wu5zLlUHBojHCZB-kuJPLP-kzMxggr9dpQ7oZL02MgUh689Kh3byV6513QG3JSWw7kOmlll7o87aGrEShDPIxvaprHlDfM2iCfq9GJU0UuqHIhRAqWulrhVjEqDWuD9hwUVPQYVVQMkyF1JuNlqjzgFC0bKN0y_QSCLUMF8_SgoRyRYwJDSyFt_KV0dTYSpkcsGfL2vOuV6C5FI4VQvi-TX58tL0S18tnyviiZ7Qf73LNagysiXNW23QOwG61HEgDqhHdcAIHQgmnvkbbzXj2EeeRjYyXLiRPATBEEHLAcxm3x3yKNMsdDcWYNdEyPGTDlyk1aOhgA514AxzJbJFXqrJVm8D_S8VU1uUa4e_aKEwcwdEl0nSIGBpDEI9Q6J8e_NzQxnLi1ivuR1W77IwA3nDQHZwQV2maPZ88ia9Zb3I0xiBN7UR0mwHZZfWDuF5wX0ypYmKOCOYiqbgGjLfQAlReuieJ24LQ8htZUHlbeThtsn2_BBgztzBsCwvn5jH_6zeVnYlhy43uNmrZzBMM2bEQJRGS9Jr7S3RDBiu_qTxlDvdLuefDa1fyKLtn_MhA6-SlpC90F-n0KoJdXeULAffZo-4HgPSaMjeoFZiyZcWGAOW_CdT3yzpTqd7XXn1ZIDH9ftfLdOkMMsvB9Z5t5h2a-G2sIiAZ-ZsdFVq2hCqpAJxWrtJiN2SUHwiEhnwEDT7xGWun8MFNUL77-1OT1BGhFYPpJRGLGxtb86rVC5W7CzcT5tjeX7rdVRCkYcbOgAUUjwLG8j4WBAdR84V3T-ZvgNykyTJbIb-DIvvDEmwrEnKQOUQG2adqGHrRL433_VfgzSc7zwDgzNfSwCPWw9FbHdPUNQf39DGUK8TFFX3wbop5JfiPhGD8m5Y-5kVPONFcGVorj5rlP6jWK8bKiDFUcQZK9jhsXwq2tILjxrE53aVjj48ewQUJTQGZWJfRjjFjgBIgYiAS-XaKkbQb3f_XD-BYUXOyzNlLL0cAuXyRHhAdxk_aMD-b49dSHnovOMVk5RTJeRKHYu9l3DxA_qVFUHPm5UPZ29vSSmXiOGqSIWLXmHtJEvcwQ-7Paxuk-69OFAqOzkawOEcFzLj62MpXJbLfgw6vT9sz5vpkZjokbtmC6FpWhrbaeRWNTaukBEvE-UgUXLbivbgI9ijyRbf8f_55r__KiAl9OoyulJOVGHu2dDhI-9z0U9dvCB0IUpl0sIPQ_sHdwyGblvvyxQeCrnMwVh0naigKRKaq9rtn1uQvzKBu-o8cnecxt6AR6_TYm72xxGcTWY3_AmkWaMIRJkIfn0sWspgsBYW_7wziUceXoJQhoJfsp2M1zKZ8DUngBS70EFL1dc6Gz2i5zNjCsCB18GMyHLB-NeLSGoxMRW9AwQZ6vQQfqLSVbAp9V-w02pEC01qqPGQ6xbMO-rJMDWXXSfCfrxJH3Vph-oekmR6IGqbCS0wJU-bspkR0UOxpri7lGbIiMYNsWpELlnxWFS2YjdFzW9vFJYwc9IYOGRPFEgSl_DYwZ652w9Ijy4wjv3EJxh_PIHQNvMxVCNFyUdZCZsIQUn3ZfC-GxMCfh4IxRYJUeH5-E0E7U659aquFH9QEbqiayVQpv1KoXURcp0NTmYLjlil2EhHuJTGEE9AZIB2ItORjpM9NeOWCrjPZQ3sOlDCRP76Z0D3H52_sVx2QC0CD0bL8KFOlMvknj5QlwzMUIFqGgqT65bSyGX0MOU1YCJI84d7f7ClxWe_3W-w4DNbkOHydBD5slercxAFdpSQ2yEmWRLNW_GMUMsKu_rKKLZKyuPgtzhRRaq71VHJFEABIW6sh839oqYzuurnQT2PdKveleUWDBroryWBA0jm3VUMmZAPxO3-RbSwqez48dN_ATO_pkQocsiFThcaQ1Q1LsJjy9oeSptfRcN7lLA4_0ed8k2VZgFSJdGpS9xwDnlFBm6UB2VU1dLToiR634nkOaqshDJ4qz8zYvebGq8jkRa5josifjBU4zeE20DQwf1fqRhRd5ZsODlyxZ6U8YTkwajG4lhKq5vrzjsLKJWGdN7SMifPTdGTerc1akh7cQrIVocLNR.LbtkXlpuQ9MxUWwDcyZJmQ

The appSession cookie is used by the nextjs-auth0 SDK, but there is no need to decrypt it in your own code.

In most app architectural models, the client would receive an ID Token (a JWT that contains the user info). However, the nextjs-auth0 SDK will not expose the ID Token (or Access Token) to the client at all. If you were to check the network tab of dev tools in the browser, there’d be no way to find authentication info since this is all handled server-side.

In your app, to get user info from the ID Token, you’ll wrap the app in the UserProvider component, which will allow you to access user info in the client using the useUser hook. To use an Access Token to make a secure API request, you can use the SDK’s getAccessToken function.

This article explains how this works in the “Serverless with the user on the backend” section: How to Authenticate with Next.js and Auth0: A Guide for Every Deployment Model.

Ah I see.
@stephanie.chamblee Thank you for the link! That is really helpful!!!

1 Like