Here are the steps i did
- Created a silent login URL.
- This successfully redirects me to the intended page with an authorization code and state.
- I made a POST call to /auth/token and received an access_token (the json returned also gives an id_token) .
- I then passed the access_token in Authorization header (with
Bearerstring prefixed to access_token).
- Used the express-jwt (as per boiler plate code in auth0 site) to verify the access_token, but i keep getting message
I seem to get 64 bit encoded string as access_token. This string when i pasted in jwt.io, did not decode.
I tried passing id_token instead and it worked. However i see a note in auth0 site, that id_token should not be used for securing APIs How do I verify the access_token inside API? Have i missed some step?