Configure Access Token Profile
You can choose which access token profile to use for your APIs: the Auth0 token profile or the RFC 9068 token profile. The access token profile you configure determines the format of the access tokens issued for the API.
By default, Auth0 issues access tokens using the Auth0 token profile. The Auth0 token profile issues access tokens that are formatted as JSON Web Tokens (JWTs), which contain information about an entity in the form of claims.
Auth0 also supports the RFC 9068 token profile. The RFC 9068 token profile issues access tokens formatted as JWTs following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more about the differences between these token profiles, read Access Token Profiles.
When you register an API, you can select the access token profile in the Auth0 Dashboard. After you’ve registered the API, you can configure the access token profile anytime using the Management API and the Auth0 Dashboard.
Configure access token profile for an API
1. Go to Dashboard > Applications > APIs and click the name of the API to view.
2. Scroll to Access Token Settings and select the access token profile under JSON Web Token (JWT) Profile. The selected profile determines the format and claims of access tokens issued for the API. The supported values are Auth0 and RFC 9068. To read more about the difference between the two profiles, read Access Token Profiles.
3. Click Save.
When using the Management API, we refer to access token profiles as token dialects. To configure your access token profile, set the token_dialect parameter for an API using the Management API.
The following code sample makes a PATCH request to the Update a resource server endpoint:
curl --request PATCH \
--url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{"token_dialect": "TOKEN_DIALECT" }'Was this helpful?
Replace the API_ID, MGMT_API_ACCESS_TOKEN, and TOKEN_DIALECT with their respective values, as described in the following table:
| Parameter | Description |
|---|---|
API_ID |
ID of the API for which you want to update the token dialect. |
MGMT_API_ACCESS_TOKEN |
Access Token for the Management API with the scope update:resource_servers. |
TOKEN_DIALECT |
Dialect of the access token for the specified API. To learn more, read Token dialect options. |
Token dialect options
Auth0 supports the following token dialects:
| Value | Description |
|---|---|
access_token |
The default Auth0 token profile generates an access token formatted as a JSON Web Token (JWT). To learn more, read Access Token Profiles. |
access_token_authz |
The default Auth0 token profile (access_token) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs. |
rfc9068_profile |
The RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more, read Access Token Profiles. |
rfc9068_profile_authz |
The RFC 9068 profile (rfc9068_profile) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs. |