Why is my access token not a JWT? (Opaque Token)

Question: Why is my access token not a JWT? (Opaque Token)

Answer:

An access token will be issued in one of the following formats:

  • JSON Web Token (JWT) : Tokens that conform to the JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token. Access Tokens issued for the Auth0 Management API and Access Tokens issued for any custom API that you have registered with Auth0 will follow the JSON Web Token (JWT) standard, which means that their basic structure conforms to the typical JWT Structure, and they contain standard JWT Claims asserted about the token itself.

  • Opaque tokens : Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token. Opaque Access Tokens are tokens whose format you cannot access. Opaque Access Tokens issued by Auth0 can be used with the /userinfo endpoint to return a user’s profile.

How do I request a JWT?

In order to receive a JWT you must include an audience parameter with your token request. Typically, this would be an external API, like a custom API you have registered in the dashboard. See this doc for details:

Supporting Documentation:

Documentation: Access Tokens, Tokens

2 Likes
Easy way to put user role in JWT
Wrong token upon getTokenSilently()
Access token is not JWT format
Invoking an API from a SPA with getTokenWithPopup/getTokenSilently -- is there a better way to do this?
Can I authenticate a session in a NodeJS serverless function when I'm using Auth0 Passwordless on my front end?
React Native passwordless without WebAuth
September Community News 2019
SIGN IN AS USER not working
Access token empty on successful login
How to verify a if access token
What is your best practice guidance for a Rails API - use an opaque or JWT-based access token?
How to get access token with HMAC algorithm?
Audience yes, no, why?
Get jwt access token using react-sdk (getAccessTokenSilently)
How to use opaque token in Flask Backend?
How to get bearer token from auth0 instance? [Javascript]
Auth0 Architecture and setup for React / Spring Boot
Passwordless Flow initiated via API returns "short" token and does not play well on nextjs-auth0
Latest Angular with a .net 5 back end api
Resource Owner Password Flow - Rules are not executed
Validate Bearer access_token from Device Authorization flow
Zapier Integration
What is the Audience?
Receiving JWT access token with one auth0 account, non-JWT token with other. Same code
Identity token does not include scopes when using authorization code flow
Auth0-angular access tokens are not JWTs
Authentication with SPA and API
Access_token or id_token
Make Request to Auth0 api from react native app
How can I test and debug access tokens / ID tokens?
Google cloud functions - auth0
Easy way to put user role in JWT
Custom Claims not being added for expo requests
Failed Silent auth (Chrome v80)