Access Token Profiles

Access token profiles define the format and claims of access tokens issued for an API. Auth0 supports the following access token profiles, also known as token dialects:

Token Profile Description Token Dialect
Auth0 token profile The default token profile. Issues access tokens formatted as a JSON Web Token (JWT). The Auth0 token profile is associated with two token dialects:
  • access_token
  • access_token_authz, or the access_token profile with the permissions claim included
RFC 9068 token profile Issues access tokens formatted as a JSON Web Token (JWT) following the IETF standard for encoding OAuth 2.0 Access Tokens in JWT format. The RFC 9068 token profile is associated with two token dialects:
  • rfc9068_profile
  • rfc9068_profile_authz, or the rfc9068_profile profile with the permissions claim included

While both access token profiles issue JWTs, the JWTs have different token formats. Both access token profiles can enable Role-Based Access Control (RBAC) and add the permissions claim to the access token. 

To configure the access token profile for an API, read Configure Access Token Profile.

Auth0 profile sample token

{
  "iss": "https://my-domain.auth0.com/",
  "sub": "auth0|123456",
  "aud": [
    "https://example.com/health-api",
    "https://my-domain.auth0.com/userinfo"
  ],
  "azp": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "scope": "openid profile read:patients read:admin",
  "my_custom_claim": "my_custom_value"
}

Was this helpful?

/

RFC 9068 profile sample token

{
  "iss": "https://my-domain.auth0.com/",
  "sub": "auth0|123456",
  "aud": [
    "https://example.com/health-api",
    "https://my-domain.auth0.com/userinfo"
  ],
  "client_id": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "jti":"73WakrfVbNJBaAmhQtEeDv",
  "scope": "openid profile read:patients read:admin",
  "my_custom_claim": "my_custom_value"
}

Was this helpful?

/

Token profile differences

The Auth0 profile and RFC 9068 profile issue JWTs that have different token formats. The main differences are:

  • The RFC 9068 profile incorporates the jti claim, providing a unique identifier for the JWT.

  • The Auth0 profile uses the azp claim to represent the client ID whereas the RFC 9068 profile uses the client_id claim.

  • The RFC 9068 profile does not use the gty claim, which is an Auth0-specific claim that represents the authentication flow.

Header

Data RFC 9068 Profile Auth0 Profile
type at+jwt JWT
alg Signing algorithm, for example, RS256 Signing algorithm, for example, RS256

Claims

Claim
Description
Present in RFC 9068 Profile
Present in Auth0 Profile
 Sample Claim
iss Issuer identifier for the Auth0 tenant issuing the access token. Yes Yes Tenant domain: https://tenant.auth0.com/
sub The subject claim indicates which user or application the access token was issued for:
  • For grants where an end user is involved, such as the Authorization Code Flow, the sub claim is the user_id.
  • For Machine-to-Machine applications using the Client Credentials grant where no end user is involved, the sub claim is a unique identifier for the application.
 Yes Yes
  • User ID:auth0|6553da60a54af58e29493993
  • Client ID with suffix: awZfdIir8YFdGZWkvCejDoUb7SjTDicx@clients
aud The audience claim defines the intended recipient of the access token. Yes Yes "https://test-server/api" OR [ "https://test-server/api", "https://test.local.dev.auth0.com/userinfo" ]
client_id Client ID of the application that requests the access token. Yes No Client ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja
azp Client ID of the application that requests the access token. No Yes Client ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja
exp The expiration time on or after which the access token must not be accepted for processing. Yes Yes Epoch timestamp in seconds: 1516238022
iat Timestamp at which the access token was issued. Yes Yes Epoch timestamp in seconds: 1516239022
scope Scope of the issued access token. To learn more, read Scopes. Yes Yes "openid profile offline_access"
jti Unique identifier for the access token. Yes No Unique string identifier: aBv9njtYfwL4xfPZyEwz9m
gty Grant type that the application used to request the access token. Only present for password and refresh_token grant types. No Case-specific Grant type: password
permissions Permissions available to a user or application depending on their role. Included only when the Enable RBAC and Add permissions in the Access Token settings are enabled for the API. To learn more, read Enable Role-Based Access Control for APIs. Case-specific Case-specific [ "create:bar", "create:foo", "read:bar", "read:foo" ]
org_id Organization ID. Added when a user has authenticated through an Organization. To learn more, read Work with Tokens and Organizations. Case-specific Case-specific Organization ID: org_9ybsU1dN2dKfDkBi
org_name Organization Name. Added when a user has authenticated through an Organization and the Organization Names in Authentication API setting is enabled. To learn more, read Use Organization Names in Authentication API. Case-specific Case-specific Organization Name: my_organization
authorization_details Authorization details used in Rich Authorization Requests (RAR). To learn more, read Authorization Code Flow with Rich Authorization Requests. Case-specific Case-specific { "type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}, "destinationAccount": "xxxxxxxxxxx9876", "beneficiary": "Hanna Herwitz", }
cnf Confirmation claim that is supported for mTLS Token Binding. Case-specific Case-specific {"x5t#S256":"A4DtL2JmUMhAsvJj5tKyn64SqzmuXbMrJa0n761y5v0"}
Custom claims Custom claims can be added to access tokens via Actions. To learn more, read Create Custom Claims. Case-specific Case-specific "favorite_color": “blue”