profiles define the format and claims of access tokens issued for an API. Auth0 supports the following access token profiles, also known as token dialects:
Token ProfileDescriptionToken Dialect
Auth0 token profileThe default token profile. Issues access tokens formatted as a JSON Web Token (JWT).The Auth0 token profile is associated with two token dialects:
  • access_token
  • access_token_authz, or the access_token profile with the permissions claim included
RFC 9068 token profileIssues access tokens formatted as a JSON Web Token (JWT) following the IETF standard for encoding OAuth 2.0 Access Tokens in JWT format.The RFC 9068 token profile is associated with two token dialects:
  • rfc9068_profile
  • rfc9068_profile_authz, or the rfc9068_profile profile with the permissions claim included
While both access token profiles issue , the JWTs have different token formats. Both access token profiles can enable Role-Based Access Control (RBAC) and add the permissions claim to the access token. To configure the access token profile for an API, read Configure Access Token Profile.

Auth0 profile sample token

{
  "iss": "https://my-domain.auth0.com/",
  "sub": "auth0|123456",
  "aud": [
    "https://example.com/health-api",
    "https://my-domain.auth0.com/userinfo"
  ],
  "azp": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "scope": "openid profile read:patients read:admin",
  "my_custom_claim": "my_custom_value"
}

RFC 9068 profile sample token

{
  "iss": "https://my-domain.auth0.com/",
  "sub": "auth0|123456",
  "aud": [
    "https://example.com/health-api",
    "https://my-domain.auth0.com/userinfo"
  ],
  "client_id": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "jti":"73WakrfVbNJBaAmhQtEeDv",
  "scope": "openid profile read:patients read:admin",
  "my_custom_claim": "my_custom_value"
}

Token profile differences

The Auth0 profile and RFC 9068 profile issue JWTs that have different token formats. The main differences are:
  • The RFC 9068 profile incorporates the jti claim, providing a unique identifier for the JWT.
  • The Auth0 profile uses the azp claim to represent the whereas the RFC 9068 profile uses the client_id claim.
  • The RFC 9068 profile does not use the gty claim, which is an Auth0-specific claim that represents the authentication flow.
DataRFC 9068 ProfileAuth0 Profile
typeat+jwtJWT
algSigning algorithm, for example, RS256Signing algorithm, for example, RS256

Claims

ClaimDescriptionPresent in RFC 9068 ProfilePresent in Auth0 ProfileSample Claim
issIssuer identifier for the Auth0 tenant issuing the access token.YesYesTenant domain: https://tenant.auth0.com/
subThe subject claim indicates which user or application the access token was issued for:
- For grants where an end user is involved (e.g., Authorization Code Flow), the sub claim is the user_id.
- For Machine-to-Machine apps using Client Credentials (no end user), the sub claim is a unique identifier for the app.		YesYes- User ID: auth0|6553da60a54af58e29493993
- Client ID with suffix: awZfdIir8YFdGZWkvCejDoUb7SjTDicx@clients
audThe audience claim defines the intended recipient of the access token.YesYes"https://test-server/api" or [ "https://test-server/api", "https://test.local.dev.auth0.com/userinfo" ]
client_idClient ID of the application that requests the access token.YesNoClient ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja
azpClient ID of the application that requests the access token.NoYesClient ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja
expThe expiration time on or after which the access token must not be accepted.YesYesEpoch timestamp: 1516238022
iatTimestamp at which the access token was issued.YesYesEpoch timestamp: 1516239022
scopeScope of the issued access token. See Scopes.YesYes"openid profile offline_access"
jtiUnique identifier for the access token.YesNoUnique string identifier: aBv9njtYfwL4xfPZyEwz9m
gtyGrant type used to request the access token. Only present for password and refresh_token.NoCase-specificGrant type: password
permissionsPermissions available depending on roles. Included when Enable RBAC and Add permissions in the Access Token are enabled. See RBAC for APIs.Case-specificCase-specific[ "create:bar", "create:foo", "read:bar", "read:foo" ]
org_idOrganization ID. Added when user authenticated via an Organization. See Tokens and Orgs.Case-specificCase-specificOrganization ID: org_9ybsU1dN2dKfDkBi
org_nameOrganization Name. Added when user authenticated via an Organization and Organization Names in Authentication API is enabled. See Use Org Names.Case-specificCase-specificOrganization Name: my_organization
authorization_detailsAuthorization details used in Rich Authorization Requests (RAR). See RAR.Case-specificCase-specific{ "type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}, "destinationAccount": "xxxx9876", "beneficiary": "Hanna Herwitz" }
cnfConfirmation claim for mTLS Token Binding.Case-specificCase-specific{"x5t#S256":"A4DtL2JmUMhAsvJj5tKyn64SqzmuXbMrJa0n761y5v0"}
Custom claimsCustom claims can be added via Actions. See Create Custom Claims.Case-specificCase-specific"favorite_color": "blue"