Get Access Tokens
To get an access token, you request one when authenticating a user. These Auth0 tools help you modify your app to authenticate users:
Quickstarts: The easiest way to implement authentication, which can show you how to use Universal Login, the Lock widget, and Auth0's language and framework-specific SDKs. Our Lock documentation and Auth0.js documentation provide specifics about retrieving an ID token after authentication.
Authentication API: If you prefer to write your code independently, you can call the Auth0 Authentication API directly. First, you need to know which flow to use. Then follow the instructions to implement that flow.
Control access token audience
When a user authenticates, you request an access token and include the target audience and scope of access in your request. The application uses the /authorize endpoint to request access. This access is both requested by the application and granted by the user during authentication
You can configure your tenant to always include a default audience.
| Token Use | Format | Requested Audience | Requested Scope |
|---|---|---|---|
| /userinfo endpoint | Opaque | tenant name (YOUR_DOMAIN), no value for audience parameter, no audience parameter passed |
openid |
| Auth0 Management API | JWT | Management API v2 identifier (https://{tenant}.auth0.com/api/v2/) |
|
| Your own custom API | JWT | The API Identifier for your custom API registered in the Auth0 Dashboard |
In only one specific instance, access tokens can have multiple target audiences. This requires that your custom API's signing algorithm is set to RS256. To learn more, read Token Best Practices.
Multiple audiences
If you specify an audience of your custom API identifier and a scope of openid, then the resulting access token's aud claim will be an array rather than a string, and the access token will be valid for both your custom API and for the /userinfo endpoint. Other than in the use case of a single custom API as well as Auth0's /userinfo endpoint, your access tokens will be unable to have two or more audiences.
Custom domains and the Management API
Auth0 issues tokens with an issuer (iss) claim of whichever domain you used when requesting the token. Custom domain users may use either their custom domain or their Auth0 domain.
For example, you may have a custom domain of https://login.northwind.com. If you request an access token from https://login.northwind.com/authorize, your token's iss claim will be https://login.northwind.com/. However, if you request an access token from https://northwind.auth0.com/authorize, your token's iss claim will be https://northwind.auth0.com/.
For an access token with the target audience of the Management API, if you have requested an access token from your custom domain, then you must call the Management API from your custom domain or else your access token will be considered invalid.
Renew access tokens
By default, an access token for a custom API is valid for 86400 seconds (24 hours). If there are security concerns, you can shorten the time period before the token expires.
After an access token has expired, you may want to renew your access token. To renew the access token, you can either re-authenticate the user using Auth0 or use a refresh token.