Validate Access Tokens
An access token is meant for an API and should be validated only by the API for which it was intended. If you receive an access token from an identity provider (IdP), in general, you don't need to validate it. You can pass it to the issuing IdP and the IdP takes care of the rest. See Identity Provider Access Tokens for details.
If any of these checks fail, the token is considered invalid, and the request must be rejected with
403 Forbidden result.
Perform standard JWT validation. Because the access token is a JWT, you need to perform the standard JWT validation steps. See Validate JSON Web Tokens for details.
Verify token audience claims. If you've performed the standard JWT validation, you have already decoded the JWT's payload and looked at its standard claims. The token audience claim (
aud, array of strings) depends on the initial token request. The
audfield could contain both an audience corresponding to your custom API and an audience corresponding to the /userinfo endpoint. At least one of the audience values for the token must match the unique identifier of the target API as defined in your API's Settings in the Identifier field. See Get Access Tokens for details.
Verify permissions (scopes). Verify that the application has been granted the permissions required to access your API. To do so, you will need to check the
scope, space-separated list of strings) in the decoded JWT's payload. It should match the permissions required for the endpoint being accessed. For example, if your custom API provides three endpoints to read, create, or delete a user record, when you registered your API with Auth0, you created three corresponding permissions:
create:usersprovides access to the /create endpoint
read:usersprovides access to the /read endpoint
delete:usersprovides access to the /delete endpoint
In this case, if an application requests access the /create endpoint, but the access token's
scopeclaim does not include the value
create:users, then the API should reject the request.