Understanding RS256 Tokens

I’m using the auth0-spa-js library using RS256 signing, and I’m seeing tokens with five parts (four periods). Snippet below. This seems to go against the three-part JWT structure. I’m curious what the deal is here? Can’t find any documentation on how the structure would change for this signing and how to verify.

This is the exact payload that was returned after calling getTokenSilently():

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9oYW1yYWguYXV0aDAuY29tLyJ9..8eNPbSQoVv0qKBKA.gv9d1TK5iJVDKgzWDuOBTDrCr39UkcKp4wvj-yZg-mS48kQpvg9mxmo05sCm2V5JKfaTDqKvcnOGp4o97aItDQNJxIfPhw5Id86XXicSljnewJ_bbV5DEG3q4VYkm9dapWyRuQW3Fx3i0KzTIJ0YClK7oaD8E6o8SavIFrNwOw2zhtXVX4a1xpIHJFYdNTmAUJ3Eo6EwHDiaW31BWw8BIKeKRN1FHnqO1IlLCgxi_qA3HM3rvLPJJuqBXaYBPZnMO2m07MlnkqpKHY7O-2GovktfY7UHTpyeBms6hPn8VXF061tmzA.pBt4_0LMVg78B7a9UzdkHg

Hello there @mhamrah welcome to the community!

It looks like you’re receiving an opaque access token as opposed to a JWT. Are you including a valid audience in your authorize request? The following topics should be of use :slight_smile:

1 Like