Validating access token and extract useremail and scope

Hi team,

I have generated access token for SPA/web-type application using authorization code flow grant type (with below 2 step process)

  1. Got the authorization code executing GET /authorize API in browser
  2. In the postman, executed POST /token API by sending authorization code (from step1); here I got only access token. I do not see ID Token coming along with access token.

I’ve added a rule to include user email into access token payload which is also validated at jwt.io manually.

I’ve sent this access token in the request headers (Authorization Bearer ) to my application API; and my application API authorization is working as expected.

Now, we have a use case to verify user email and scope with custom policies at my application API. So that my application ensures only authorized users can perform certain business activities.

To implement this I need to extract/decode scope and user email from the access token payload (in my application). I was hoping Auth0 might’ve an introspect API (similar to OKTA’s introspect). Going through Auth0 community I learnt that Auth0 seems to be not having the introspect API. As an alternative I’m trying with /userinfo API (passing access token). I’m getting 401 - Unauthorized (invalid credentials) error message.

Can you confirm, going with /userinfo is the right approach here?
if so, how to call /userinfo API proving access token?

Can you help me with the info.

Thanks,
Srini

Hi @srinivasarao.yenduva,

Welcome to the Auth0 Community!

You have a few options. You can retrieve user data via the /userinfo endpoint OR you can inspect the token directly by decoding it. Depending on what framework/language you are using, you can find an example in our quickstarts.

Let me know more details and I can help you find an example.