So I’ve read this page top to bottom and am still confused about the separation of concerns between ID and access tokens.
That page clearly states “Access Tokens must never be used for authentication”. My question is: “Can I use access tokens for authentication? ”
I want to pass the access token to my (first-party) backend API. I don’t need any information about them except their User ID. They way you make it sound, I’d need to send both the id_token and access_token to my backend: one to authenticate, one to authorize. Do I need to do that? Or can I rely on the access_token to authenticate the user? In that case, can you take this terribly over-reaching statement out of the docs?
Hey there @colin, you may find the doc below a little more in tune with your desired result when exchanging information with your API. Please let me know if this helps you in your quest and I will continue to investigate the documentation with our team for validity. Thanks!
Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
Your application can use the Access Token to call an API to access information about the user.
”