Use JWT Access-Token from SPA SDK Login for backend API verification

prutheus · February 6, 2022, 9:45pm

Hello @all!

I have a SPA frontend where I use the auth0 sdk for login.

After successful login, I can retrieve the accessToken from my auth0 client.

Now, I have a backend API in python - FastAPI - which should only be accessible for authenticated users.
So, I add the access token retrieved from the SPA SDK to the backend request and want to validate the token now in my backend to make the data response. I do not need to query the Management API for further stuff, I just need to validate the token.

However, following the tutorial here I can not verify the token. With this code sample, I just can verify tokens issued for API’s, how can I verify tokens issued from SPA SDK applications ?

dan.woda · February 7, 2022, 9:14pm

Hi @prutheus,

Your SPA is not issuing any tokens here. The access token here is being issued by the auth server, to your SPA, for your API.

The API audience parameter you are setting in both your SPA and API should correspond with the API identifier you registered in the dashboard for your fast API.

In your SPA, you should be requesting a token with the audience/identifier you registered for your fast API in the dashboard, then you should be sending that token to your API, where it is verified to have the correct audience.

Does that make sense?