Auth0 uses two types of tokens:
There are five primary tokens used in Auth0's token based authentication scenarios and referenced in Auth0 documentation.
JSON Web Tokens (JWT): Tokens that conform to the JSON Web Token standard and contain information about an identity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token.
Opaque tokens: Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.
The ID token, usually referred to as
id_token in code samples, is a JSON Web Token (JWT) that contains user profile attributes represented in the form of claims. The
id_token is consumed by the client and used to get user information like the user's name, email, and so forth, typically used for UI display.
The Access Token, commonly referred to as
access_token, is a credential that can be used by a client to access an API. Auth0 uses access tokens to protect access to the Auth0 Management API.
Identity Provider Access Token
When a user authenticates via Auth0 with another social provider's authentication service, such as Facebook or LinkedIn, the social provider will return an access token that can be used by the client program to call that social provider's API.
The Refresh token is a long-lived token that is used to obtain a new ID Token after a previous one has expired.
Management APIv2 Token
The Management APIv2 token is used to call the Auth0 Management API v2. This APIv2 token is a JWT, and contains various scope claims, such as
update:clients, and is signed with a client API key and secret for the entire tenant.