skip to content
Alvin Lucillo

The anatomy of the token

/ 1 min read

auth0

At the end of a login journey, the auth0 angular sdk calls https://YOUR_DOMAIN/oauth/token. If we look at the response from auth0, it returns the following shape:

{
	"access_token": "eyJ...",
	"id_token": "eyJ...",
	"scope": "openid profile email",
	"expires_in": 86400,
	"token_type": "Bearer"
}
  • access_token - it’s a credential used to call an API; by default, since the angular app did not specify an audience, auth0 assumes that the request for access token is for their /userinfo endpoint; this is opaque, meaning the client should not interpret this token
  • id_token - a base64 encoded value containing information about the logged on session user; this is a standard JWT that you can view in jwt.io with header and payload
  • scope - the scopes granted by auth0
  • expires_in - the life of the access token
  • token_type - tells how token should be presented to the API; Bearer means token is sent as Authorization: Bearer TOKEN