This article explains how to resolve an invalid token error that occurs when decoding an access token.  The token received during an authentication flow appears as an unreadable, random string of characters instead of the expected three-part JSON Web Token (JWT) format.

• Access Tokens
• Authentication
• API

The root cause of this error is the absence of an audience parameter in the initial authentication request.

When a request for a token is made without specifying an audience, the authorization server does not know which API the token is intended for. As a result, it issues an opaque token. An opaque token is a unique, unreadable string that is not in the JWT format. It is intended to be used only to retrieve user information from the /userinfo endpoint of the authorization server and cannot be decoded or validated by an API.

This behavior can cause confusion because an ID Token, which is always a JWT, is often issued in the same flow. The ID token decodes correctly, leading developers to believe the access token should as well.

Explicitly Requesting an Access Token for an API

• The Role of audience: The audience parameter is the key to getting a JWT access token. By including audience=YOUR_API_IDENTIFIER in the request, you are telling Auth0, "I need a token specifically for the API with this identifier."

• Issuing a JWT Access Token: When Auth0 receives an audience parameter, it generates a valid JWT access token. This token will contain the necessary claims and a signature, allowing it to be decoded by JWT.io and, more importantly, validated and used by your protected API.

To resolve this issue and receive a valid JWT access token, include the audience parameter in the /authorize request. The value for the audience parameter must be the unique identifier of the API that the token is intended to access.

The following is an example of an authentication request that correctly includes the audience parameter:

https://<YOUR_DOMAIN>/authorize?
    audience=https://<YOUR_API_IDENTIFIER>&
    scope=openid profile read:appointments&
    response_type=token&
    client_id=<YOUR_CLIENT_ID>&
    redirect_uri=https://<YOUR_APP>/callback

Key parameters in this request include:

• audience: This is the critical parameter. Its value must be the unique identifier for the API registered in the authorization server's dashboard.

• response_type: A value of token indicates that the request is for an access token to be returned directly from this endpoint.

• scope: Defines the specific permissions for example., read:appointments, that are being requested for the access token.