Auth0 uses two formats for tokens:

• JSON Web Token (JWT): Tokens that conform to the JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token.
• Opaque tokens: Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.

There are five primary tokens used in Auth0's token-based authentication scenarios and referenced in Auth0 documentation.

• ID Token

  The ID Token, usually referred to as id_token in code samples, is a JSON Web Token (JWT) that contains user profile attributes represented in the form of claims. The ID Token is consumed by the application and used to get user information like the user's name, email, and so forth, typically used for UI display.

  • JSON Web Tokens (JWT) in Auth0
  • JWT Specification: RFC 7519
  • Scopes
  • Why you should always use Access Tokens to secure an API
  • Get a token using Lock
  • Retrieve the full user profile using Lock
  • User profile overview
  • Validate a JWT and get the full user profile
  • Debugger for viewing JWT
  • Read about OpenID Connect (OIDC)
• Access Token

  The Access Token is a credential that can be used by an application to access an API.

  • Why you should always use Access Tokens to secure an API
  • Retrieve the full user profile with an Access Token
  • User profile overview
  • Read about OAuth 2.0
• Identity Provider Access Token

  When a user authenticates via Auth0 with another social provider's authentication service, such as Facebook or LinkedIn, the social provider will return an Access Token that can be used by the application to call that social provider's API.

  • Call an Identity Provider API
  • Add scopes/permissions to call Identity Provider's APIs
  • Social Login with Provider's Access Token
• Refresh Token

  The Refresh Token is a long-lived token that is used to obtain a new Access Token after a previous one has expired.

  • Auth0.Swift: Saving and Refreshing JWT Tokens
  • Lock Android: Refreshing JWT Tokens
  • Refresh Tokens: When to Use Them and How They Interact with JWTs
• Management APIv2 Token

  The Management APIv2 token is used to call the Auth0 Management API v2. This APIv2 token is a JWT, and contains various scope claims, such as read:users or update:clients, and is signed with an application API key and secret for the entire tenant.

  • Management APIv2 Explorer
  • Management API v1 vs v2