Validate access token failing

I raised a thread a few months ago (Sanity check on usage of serverless functions and Auth0) and unfortunately got too busy to continue with the demo. In that thread, Dan shared some sample code I could use to verify an access token retrieved on the client side via getTokenSilently.

In using the sample code though, I always get a jwt malformed error. I get a similar issue at (Although it can show a header w/ my domain in it.)

I’m assuming I’m doing something dumb here - does anyone see anything?

let token = 'token copied and pasted from a web app using auth0';

let domain = 	"";

var jwt = require('jsonwebtoken');
var jwksClient = require('jwks-rsa');
var client = jwksClient({
  jwksUri: `https://${domain}/.well-known/jwks.json`
function getKey(header, callback){
  client.getSigningKey(header.kid, function(err, key) {
    var signingKey = key.publicKey || key.rsaPublicKey;
    callback(null, signingKey);

jwt.verify(token, getKey, function(err, decoded) {
  console.log(err) // bar

Did you pass in an audience parameter to retrieve your access token? If you don’t pass in this parameter, you’ll get an opaque token, which is just a random string of characters, not a JWT.

Ah, I did not. Dumb question, but what should I use?

I’m not sure what you’re using to get the access token on the client. If you’re using one of our SDKs, they should have a way to pass in the audience. For example, here’s how it might look in an Angular app:

const config = {
  domain: 'YOUR_AUTH0_DOMAIN',
  clientId: 'YOUR_AUTH0_CLIENT_ID',
  authorizationParams: {
    redirect_uri: window.location.origin + '/home',
    audience: 'YOUR_AUTH0_API_IDENTIFIER',
  httpInterceptor: {
    allowedList: ['/api/*']

export const appConfig: ApplicationConfig = {
  providers: [

Another way to get an access token is with the Auth0 CLI.

auth0 test token -a https://<your-auth0-domain>/api/v2/ -s openid

I’m using just vanilla JS, basically the Getting Started docs. I modified it a tiny bit like so:

	if (isAuthenticated) {
		let token = await auth0Client.getTokenSilently();
		console.log('token?', token);

I’m sure I can just pass the audience - but I still don’t know what the audience value should be. :slight_smile:

You must’ve had to configure the auth0Client somehow to give it your Auth0 domain. What does that look like?

Yep, the domain is

Are you using auth0.js? If so, it looks like its constructor takes an audience parameter.

Nope, auth0-spa-js.js. Took me a bit to find it, but it looks like the ref is here, GetTokenSilentlyOptions | @auth0/auth0-spa-js.

So to be clear, my domain is the audience?

It’s possible that your audience contains your domain name. If you log in to your Auth0 Dashboard and go to Applications > APIs, you’ll see your APIs and their audiences. Copy it and put it in your JavaScript as a parameter and it should get you a JWT for the access token.

Boom, that did it, although I had to switch to getTokenWithPopup (although I believe Silently will work off localhost).

I appreciate your patience.

If you see the other thread I linked to up top, the whole point of this is:

Login to my app - and then get my sub value to use with the management API to make calls for the logged in user. In the other thread, it was suggested it would be more secure to get the token as well and verify that as well.