Verify 32 character access token from Lock in my API?

wade.wojcak · May 8, 2018, 4:09am

I am currently allowing a user to log in with Lock on the front end. After the user authenticates, I receive the 32 character access token from authResult.accessToken. I want to take this token and send it to an API endpoint where it can be verified before responding back to the front end with whatever data.

What is the easiest way to verify that this access token is valid? Is there simply an auth0 endpoint I can send it to for verification? I know I can try to verify a JWT with the jsonwebtoken NPM library, but the token I get back from the Lock authentication appears to just be a 32 character token and now a JWT?

andres.aguiar · May 8, 2018, 5:41am

Hi!

What audience are you specifying when configuring Lock?

If you use no audience, or specify ‘/userinfo’, you will get an opaque token valid to call the ‘/userinfo’ endpoint (https://auth0.com/docs/tokens/access-token#access-token-format). If you want a token for your API, you need to specify the audience for the API. In that case, you will get a JWT token you can then verify with jsonwebtoken in your NodeJS app.