By default, Auth0 access tokens include the Authorized Party (azp) claim to represent the client ID. Certain services, such as Amazon Bedrock AgentCore Runtime, require the client_id claim directly in the JSON Web Token (JWT). To resolve this, update the tenant access token profile to the Internet Engineering Task Force (IETF) JWT Profile for OAuth 2.0 Access Tokens (RFC 9068), or alternatively, use a Post-Login Action to append a custom claim.

• Auth0
• Access Tokens
• JSON Web Tokens (JWT)
• Access Token Profiles

The default Auth0 access token profile includes the azp claim, but the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068) replaces the azp claim with the client_id claim. To change the access token profile to RFC 9068, update the advanced tenant settings in the Auth0 Dashboard.

1. Navigate to Settings in the Auth0 Dashboard.
2. Select the Advanced tab.
3. Scroll to the Access Token Profile section.
4. Choose IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068) from the dropdown menu.
5. Select Save.

If the default access token profile must be maintained, Auth0 can append the client ID as a custom claim to the token using a Post-Login Action. To accomplish this, review the documentation for Adding Custom Claims to Tokens.

Related References

• Access Token Profiles
• How can I get client_id in my JWT claims instead of just azp?