However, the appSession cookie (with value eyJhbGciOiJka…) generated from it does seem to be in JWT format, which also looks to be much longer, and our backend could not decode it.
May I ask any idea why? And how should I decode the token?
Thank you!
I was referring to the part of the token before the first period. For example, if you paste this token in jwt.io/, you’ll see the header decoded, but not the payload:
The appSession cookie is used by the nextjs-auth0 SDK, but there is no need to decrypt it in your own code.
In most app architectural models, the client would receive an ID Token (a JWT that contains the user info). However, the nextjs-auth0 SDK will not expose the ID Token (or Access Token) to the client at all. If you were to check the network tab of dev tools in the browser, there’d be no way to find authentication info since this is all handled server-side.
In your app, to get user info from the ID Token, you’ll wrap the app in the UserProvider component, which will allow you to access user info in the client using the useUser hook. To use an Access Token to make a secure API request, you can use the SDK’s getAccessToken function.