I’m using the auth0-spa-js library using RS256 signing, and I’m seeing tokens with five parts (four periods). Snippet below. This seems to go against the three-part JWT structure. I’m curious what the deal is here? Can’t find any documentation on how the structure would change for this signing and how to verify.
This is the exact payload that was returned after calling getTokenSilently():
It looks like you’re receiving an opaque access token as opposed to a JWT. Are you including a valid audience in your authorize request? The following topics should be of use