I have a SPA app that calls to an API requiring an access token, all set up and working great.
When I sign in using WebAuth (passwordlessLogin), I get an AccessToken as expected (very long string “eyJ0eXAiO…” - probably 400 chars long, huge. API calls with this JWT token work great.
Then later I call checkSession() to “renew” the token. This method succeeds, no error. I clearly get a response back with both authResult.accessToken and authResult.idToken. HOWEVER, what I get this time is NOT an access token! It is a short token (like maybe 30-50 chars), not JWT and cannot be used for calls to the API.
Why? What is this non-JWT token being returned as an accessToken property of the response?
Nothing in the docs explains this.