Docs

Get an Access Token

To get an Access Token, you need to request one when authenticating a user.

Auth0 makes it easy for your app to authenticate users using:

Control Access Token Audience

When a user authenticates, you request an Access Token and include the target audience and scope of access in your request. This access is both requested by the application and granted by the user during authentication using the Authorize endpoint.

You may configure your tenant to always include a default audience.

Token Use Format Requested Audience Requested Scope
/userinfo endpoint Opaque tenant name (YOUR_DOMAIN), no value for audience parameter, no audience parameter passed openid
Auth0 Management API JWT Management API v2 identifier (https://{tenant}.auth0.com/api/v2/)
Your own custom API JWT The API Identifier for your custom API registered in the Auth0 Dashboard

Multiple Audiences

Access Tokens can have multiple target audiences as long as your custom API's signing algorithm is set to RS256.

For example, if you specify an audience of your custom API identifier and a scope of openid, then the resulting Access Token's aud claim will be an array rather than a string, and the Access Token will be valid for both your custom API and for the /userinfo endpoint.

Custom Domains and the Management API

Auth0 issues tokens with an issuer (iss claim) of whichever domain you used when requesting the token. Custom domain users may use either their custom domain or their Auth0 domain. For example, say you have a custom domain of https://login.northwind.com. If you request an Access Token from https://login.northwind.com/authorize, your token's iss claim will be https://login.northwind.com/. However, if you request an Access Token from https://northwind.auth0.com/authorize, your token's iss claim will be https://northwind.auth0.com/.

For an Access Token with the target audience of the Auth0 Management API, if you have requested an Access Token from your custom domain, then you must call the Management API from your custom domain or else your Access Token will be considered invalid.

Renew an Access Token

By default, an Access Token for a Custom API is valid for 86400 seconds (24 hours). If there are security concerns, you can shorten the time period before the token expires.

After an Access Token has expired, you may want to renew your Access Token. To renew the Access Token, you can either reauthenticate the user using Auth0, or use a Refresh Token.

Read more