Resolving invalid token errors in Auth0 involves changing the application signature algorithm or adjusting the response type parameter. When parsing an HS256-signed ID token without an access token, the following error occurs.

The id_token cannot be validated because it was signed with the HS256 algorithm and public applications (like a browser) can’t store secrets. Please read the associated doc for possible ways to fix this.

• Auth0
• Tokens
• Troubleshooting

Beginning with auth0.js version 9 and Lock version 11, Auth0 discards ID tokens signed with HS256 and makes a call to /userinfo to retrieve user information. Calling /userinfo requires an Access Token. The error occurs if an access token is not requested during authentication.

How is the invalid token error resolved?

Resolve the invalid token error by changing the application signature algorithm to RS256 or modifying the response type parameter to include an access token.

• Recommended: Change the application signature algorithm to RS256 instead of HS256.
• Change the value of the responseType parameter to token id_token (instead of the default) to receive an access token in the response.

How is the application signature algorithm changed to RS256?

Change the application signature algorithm to RS256 in the Auth0 Dashboard by following these steps:

1. Navigate to Applications > Applications in the Auth0 Dashboard and select the name of the application.
2. Scroll to the bottom of the Settings page and select Show Advanced Settings.
3. Select the OAuth tab, change the value of JsonWebToken Signature Algorithm to RS256, and select Save Changes.

NOTE: If proceeding with this option and using the ID token to call APIs, change the server code to validate tokens using the RS256 algorithm instead of HS256. Using ID tokens to call APIs is not recommended. Decode, verify, and generate JSON Web Tokens (JWTs) using the JWT Tool.