Question: What is the difference between idToken
and accessToken
and why can’t I just use idToken to call my API?
Answer:
Auth0 uses two types of tokens:
- JSON Web Tokens (JWT): Tokens that conform to the JSON Web Token (JWT) standard and contain information about an identity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token.
- Opaque tokens: Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.
The differences between idToken
and accessToken
are found in the below doc:
Here’s a helpful blog post as well:
In addition, the following lists out why you should always use tokens to secure APIs: