Opaque Versus JWT Access Token

Overview

This article describes the different formats for access tokens, specifically comparing opaque tokens and JSON Web Tokens (JWTs).

Applies To

  • Access Token

Solution

Please check out the video and the information below:

An access token will be issued in one of the following formats:

  • JSON Web Token (JWT): These tokens follow the JWT standard and contain claims (information about an entity). They are self-contained, meaning the recipient does not need to call a server to validate the token. Access Tokens for the Auth0 Management API or custom APIs registered with Auth0 are typically JWTs.
  • Opaque Token: These tokens are in a proprietary format and act as a reference to information stored on a server. To validate an opaque token and retrieve user information, the recipient must call the server that issued it (for example, using the /userinfo endpoint for tokens issued by Auth0).

To receive an access token in JWT format:

  • Include an audience parameter in the token request, specifying the intended recipient (e.g., the identifier of a registered custom API) as explained in Get Access Tokens

Related References

4 Likes