I was referring to the part of the token before the first period. For example, if you paste this token in jwt.io/, you’ll see the header decoded, but not the payload:
eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaWF0IjoxNjE3ODAzNDc5LCJ1YXQiOjE2MTc4ODE3MjUsImV4cCI6MTYxNzk2ODEyNX0..TIKxzG4pPsaR94xs.OcYKxDstl98CUxx9NfgjfBMNwjxChdT8CPP0ieAW6ODsBXBFaoPCIgBwGrZMxzDctd2nQs0eG52q1FGynbh4zmD1__Wu5zLlUHBojHCZB-kuJPLP-kzMxggr9dpQ7oZL02MgUh689Kh3byV6513QG3JSWw7kOmlll7o87aGrEShDPIxvaprHlDfM2iCfq9GJU0UuqHIhRAqWulrhVjEqDWuD9hwUVPQYVVQMkyF1JuNlqjzgFC0bKN0y_QSCLUMF8_SgoRyRYwJDSyFt_KV0dTYSpkcsGfL2vOuV6C5FI4VQvi-TX58tL0S18tnyviiZ7Qf73LNagysiXNW23QOwG61HEgDqhHdcAIHQgmnvkbbzXj2EeeRjYyXLiRPATBEEHLAcxm3x3yKNMsdDcWYNdEyPGTDlyk1aOhgA514AxzJbJFXqrJVm8D_S8VU1uUa4e_aKEwcwdEl0nSIGBpDEI9Q6J8e_NzQxnLi1ivuR1W77IwA3nDQHZwQV2maPZ88ia9Zb3I0xiBN7UR0mwHZZfWDuF5wX0ypYmKOCOYiqbgGjLfQAlReuieJ24LQ8htZUHlbeThtsn2_BBgztzBsCwvn5jH_6zeVnYlhy43uNmrZzBMM2bEQJRGS9Jr7S3RDBiu_qTxlDvdLuefDa1fyKLtn_MhA6-SlpC90F-n0KoJdXeULAffZo-4HgPSaMjeoFZiyZcWGAOW_CdT3yzpTqd7XXn1ZIDH9ftfLdOkMMsvB9Z5t5h2a-G2sIiAZ-ZsdFVq2hCqpAJxWrtJiN2SUHwiEhnwEDT7xGWun8MFNUL77-1OT1BGhFYPpJRGLGxtb86rVC5W7CzcT5tjeX7rdVRCkYcbOgAUUjwLG8j4WBAdR84V3T-ZvgNykyTJbIb-DIvvDEmwrEnKQOUQG2adqGHrRL433_VfgzSc7zwDgzNfSwCPWw9FbHdPUNQf39DGUK8TFFX3wbop5JfiPhGD8m5Y-5kVPONFcGVorj5rlP6jWK8bKiDFUcQZK9jhsXwq2tILjxrE53aVjj48ewQUJTQGZWJfRjjFjgBIgYiAS-XaKkbQb3f_XD-BYUXOyzNlLL0cAuXyRHhAdxk_aMD-b49dSHnovOMVk5RTJeRKHYu9l3DxA_qVFUHPm5UPZ29vSSmXiOGqSIWLXmHtJEvcwQ-7Paxuk-69OFAqOzkawOEcFzLj62MpXJbLfgw6vT9sz5vpkZjokbtmC6FpWhrbaeRWNTaukBEvE-UgUXLbivbgI9ijyRbf8f_55r__KiAl9OoyulJOVGHu2dDhI-9z0U9dvCB0IUpl0sIPQ_sHdwyGblvvyxQeCrnMwVh0naigKRKaq9rtn1uQvzKBu-o8cnecxt6AR6_TYm72xxGcTWY3_AmkWaMIRJkIfn0sWspgsBYW_7wziUceXoJQhoJfsp2M1zKZ8DUngBS70EFL1dc6Gz2i5zNjCsCB18GMyHLB-NeLSGoxMRW9AwQZ6vQQfqLSVbAp9V-w02pEC01qqPGQ6xbMO-rJMDWXXSfCfrxJH3Vph-oekmR6IGqbCS0wJU-bspkR0UOxpri7lGbIiMYNsWpELlnxWFS2YjdFzW9vFJYwc9IYOGRPFEgSl_DYwZ652w9Ijy4wjv3EJxh_PIHQNvMxVCNFyUdZCZsIQUn3ZfC-GxMCfh4IxRYJUeH5-E0E7U659aquFH9QEbqiayVQpv1KoXURcp0NTmYLjlil2EhHuJTGEE9AZIB2ItORjpM9NeOWCrjPZQ3sOlDCRP76Z0D3H52_sVx2QC0CD0bL8KFOlMvknj5QlwzMUIFqGgqT65bSyGX0MOU1YCJI84d7f7ClxWe_3W-w4DNbkOHydBD5slercxAFdpSQ2yEmWRLNW_GMUMsKu_rKKLZKyuPgtzhRRaq71VHJFEABIW6sh839oqYzuurnQT2PdKveleUWDBroryWBA0jm3VUMmZAPxO3-RbSwqez48dN_ATO_pkQocsiFThcaQ1Q1LsJjy9oeSptfRcN7lLA4_0ed8k2VZgFSJdGpS9xwDnlFBm6UB2VU1dLToiR634nkOaqshDJ4qz8zYvebGq8jkRa5josifjBU4zeE20DQwf1fqRhRd5ZsODlyxZ6U8YTkwajG4lhKq5vrzjsLKJWGdN7SMifPTdGTerc1akh7cQrIVocLNR.LbtkXlpuQ9MxUWwDcyZJmQ
The appSession cookie is used by the nextjs-auth0 SDK, but there is no need to decrypt it in your own code.
In most app architectural models, the client would receive an ID Token (a JWT that contains the user info). However, the nextjs-auth0 SDK will not expose the ID Token (or Access Token) to the client at all. If you were to check the network tab of dev tools in the browser, there’d be no way to find authentication info since this is all handled server-side.
In your app, to get user info from the ID Token, you’ll wrap the app in the UserProvider component, which will allow you to access user info in the client using the useUser hook. To use an Access Token to make a secure API request, you can use the SDK’s getAccessToken function.
This article explains how this works in the “Serverless with the user on the backend” section: How to Authenticate with Next.js and Auth0: A Guide for Every Deployment Model.