Configure Access Token Profile
You can choose which access token profile to use for your APIs. The access token profile you configure determines the format of the access tokens issued for the API.
By default, Auth0 issues access tokens using the Auth0 token profile. The Auth0 token profile issues access tokens that are formatted as a JSON Web Token (JWT), containing information about an entity in the form of claims.
Auth0 also supports the RFC 9068 token profile. The RFC 9068 token profile issues access tokens formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more about the differences between these token profiles, read Access Token Profiles.
To configure an access token profile for an API, use the Management API.
Management API
When using the Management API, we refer to access token profiles as token dialects. To configure your access token profile, set the token_dialect parameter for an API using the Management API.
The following code sample makes a PATCH request to the Update a resource server endpoint:
curl --request PATCH \
--url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{"token_dialect": "TOKEN_DIALECT" }'
Was this helpful?
Replace the API_ID
, MGMT_API_ACCESS_TOKEN
, and TOKEN_DIALECT
with their respective values, as described in the following table:
Parameter | Description |
---|---|
API_ID |
ID of the API for which you want to update the token dialect. |
MGMT_API_ACCESS_TOKEN |
Access Token for the Management API with the scope update:resource_servers . |
TOKEN_DIALECT |
Dialect of the access token for the specified API. To learn more, read Token dialect options. |
Token dialect options
Auth0 supports the following token dialects:
Value | Description |
---|---|
access_token |
The default Auth0 token profile generates an access token formatted as a JSON Web Token (JWT). To learn more, read Access Token Profiles. |
access_token_authz |
The default Auth0 token profile (access_token ) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs. |
rfc9068_profile |
The RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more, read Access Token Profiles. |
rfc9068_profile_authz |
The RFC 9068 profile (rfc9068_profile ) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs. |