Unexpected Response from Hosted Page

I have have customized my hosted page slightly with the following code:

var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
      auth: {
        redirectUrl: config.callbackURL,
        responseType: 'token',
        params: {
          "audience": "https://api.<mydomain>.com",
          "scope": "openid profile email"

And the problem I am having is that when I redirect to the hosted page and log in I get this response:

  {accessToken: "NeBZE6lBSFQ_xVRL", idToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…htJBDkuGLCI-IRwixliKk3JaMxl5x1eRlNVIxsPb6ceR-KXFQ", idTokenPayload: Object, appStatus: null, refreshToken: null…}

Rather than a JWT accessToken I just get a short code along with an idToken and idTokenPayload object. Then if I log out, then log in again via clicking the “Last time you logged in with” link I get the expected response:

{accessToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…ls54ixMbu9qNBdnIvuVnl2YRLs6VU544AeGvZ56P5aE2a6dDg", idToken: null, idTokenPayload: null, appStatus: null, refreshToken: null…}

Then if I log out and log in again but click “Not your account?” and type in the credentials again I once again get the opaque token the first time and then the expected token on subsequent logins via “Last time you logged in with” link. If I disable Remember last login then I always get the opaque token.

Are you sure you are not changing anything in your auth.js options between logout and login? The first access token seems a jwt from the new flow, while the second one is an opaque token. Maybe you messed/missed your client id?

Pretty sure nothing is being changed, the options are configured in the hosted page script all I’m doing on the client is redirecting to the hosted page when the user clicks the login link and when they click logout the token is removed from local storage. I have updated my question above to try and more accurately describe what is happening.

The difference in the accessToken is important. The first one is the “old flow” access token, while the second one is the new one. There are different factors that determine which flow you are using.
May I suggest you to log out the “config” object and Auth0Lock 3rd argument, i.e. { auth: … } just to be sure they are not changing due to the way you access the hosted page? A simple “console.log” is enough.

Looks like I’ve fixed my issues by reverting the hosted page code to standard and instead configuring my options on the client and logging in via the auth0.authorize() method instead of just a link to the hosted page. I was following a guide that must have been based on the “old flow” as well as reading docs based on the “new flow” so must have got my wires crossed, thanks for your help.