Use Access Tokens

Access tokens are used in token-based authentication to allow an application to access an API. For example, a Calendar application needs access to a Calendar API in the cloud so that it can read the user's scheduled events and create new events.

Once an application has received an access token, it will include that token as a credential when making API requests. To do so, it should transmit the access token to the API as a Bearer credential in an HTTP Authorization header.

For example:

GET /calendar/v1/events
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuYXV0aDAuY29tLyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tL2NhbGFuZGFyL3YxLyIsInN1YiI6InVzcl8xMjMiLCJpYXQiOjE0NTg3ODU3OTYsImV4cCI6MTQ1ODg3MjE5Nn0.CA7eaHjIHz5NxeIJoFK9krqaeZrPLwmMmgI_XiQiIkQ

Was this helpful?


In this example, the Access Token is a JWT that decodes to the following claims:

      "alg": "RS256",
      "typ": "JWT"
      "iss": "",
      "aud": "",
      "sub": "usr_123",
      "scope": "read write",
      "iat": 1458785796,
      "exp": 1458872196

Was this helpful?


Before permitting access to the API using this token, the API must validate the access token.

Once the Access Token has been successfully validated, the API can be sure that:

  • The token was issued by Auth0.

  • The token was issued to an application being used by a user with an identifier of usr_123.

  • The user granted the application access to read from and write to their calendar.

The API can now process the request, allowing the application to read from and write to user usr_123's calendar.

Learn more