Overview
This article describes the different formats for access tokens, specifically comparing opaque tokens and JSON Web Tokens (JWTs).
Applies To
- Access Token
Solution
Please check out the video and the information below:
An access token will be issued in one of the following formats:
- JSON Web Token (JWT): These tokens follow the JWT standard and contain claims (information about an entity). They are self-contained, meaning the recipient does not need to call a server to validate the token. Access Tokens for the Auth0 Management API or custom APIs registered with Auth0 are typically JWTs.
- Opaque Token: These tokens are in a proprietary format and act as a reference to information stored on a server. To validate an opaque token and retrieve user information, the recipient must call the server that issued it (for example, using the /userinfo endpoint for tokens issued by Auth0).
To receive an access token in JWT format:
- Include an audience parameter in the token request, specifying the intended recipient (e.g., the identifier of a registered custom API) as explained in Get Access Tokens