Very confused on requesting an Access Token for accessing my API

I am learning how to use Auth0 with our Next.js application. Using the nexjs-auth0 SDK. I have successfully authenticated with Auth0 and receive an ID Token and access token (for use against the Auth0 management api). This seems to be the default configuration of things. We have an API we have setup which will use Auth0 authentication as well. What I can’t figure out after hours of reading through documentation is how to get an access_token to use against the API.

I keep reading that you don’t use an ID Token (profile info) for an API, use an Access Token. In addition it reads to get an Access Token when you authenticate the user(login). I have not been able to figure this out.

I have defined the application and API end point in Auth0.
There is a user setup and assigned a role.
This role has a few scopes I through on it.

Am I able to get both the ID Token and the access token for our api in the same login call or do I request the API access token after the user is logged in? I am assuming the API access token will be a bearer jwt type-token.

1 Like

Yes. Make sure you are passing audience parameter in your call to /authorize and value should be your own api identifier https://auth0.com/docs/tokens/guides/access-token/get-access-tokens#control-access-token-audience

1 Like

From what I can tell it is being set, and it’s only value is the client_id of the application. Do I send multiple audience?

audience value must be API Identifier and NOT client_id of the application

Okay. If I do that will I still get the profile data of the user? Still confused. Sorry.

API Identifier (a uri) not the API ID from what I am seeing. Correct?

So the audience is set when you initialize Auth0. And it appears instead of getting the accessToken which can be used against the Auth0 management api, I get an accessToken for my custom API. There is still a profileid sent as well. Why an API configuration would contain both an ID and an Identifier is lost on me.

Looking at the access token for the api, the scope reads: ‘openid profile’, shouldn’t this have the security scopes set for this user? If it needs to be requested, what is the scope name used to request them?

I found the switch on the API configuration to add permissions to the token.

2 Likes