Configure Access Token Profile

You can choose which access token profile to use for your APIs. The access token profile you configure determines the format of the access tokens issued for the API.

By default, Auth0 issues access tokens using the Auth0 token profile. The Auth0 token profile issues access tokens that are formatted as a JSON Web Token (JWT), containing information about an entity in the form of claims.

Auth0 also supports the RFC 9068 token profile. The RFC 9068 token profile issues access tokens formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more about the differences between these token profiles, read Access Token Profiles.

To configure an access token profile for an API, use the Management API.

Management API

When using the Management API, we refer to access token profiles as token dialects. To configure your access token profile, set the token_dialect parameter for an API using the Management API. 

The following code sample makes a PATCH request to the Update a resource server endpoint:

curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"token_dialect": "TOKEN_DIALECT" }'

Was this helpful?

/

Replace the API_ID, MGMT_API_ACCESS_TOKEN, and TOKEN_DIALECT with their respective values, as described in the following table:

Parameter Description
API_ID ID of the API for which you want to update the token dialect.
MGMT_API_ACCESS_TOKEN Access Token for the Management API with the scope update:resource_servers.
TOKEN_DIALECT Dialect of the access token for the specified API. To learn more, read Token dialect options.

Token dialect options

Auth0 supports the following token dialects:

Value Description
access_token The default Auth0 token profile generates an access token formatted as a JSON Web Token (JWT). To learn more, read Access Token Profiles.
access_token_authz The default Auth0 token profile (access_token) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.
rfc9068_profile The RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more, read Access Token Profiles.
rfc9068_profile_authz The RFC 9068 profile (rfc9068_profile) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.