Get Access Tokens
To access your API, you must request an access token when authenticating a user.
To request an , make a POST call to the token URL.
In only one specific instance, access tokens can have multiple target audiences. This requires that your custom API’s is set to RS256. To learn more, read Token Best Practices.
These Auth0 tools help you modify your application to authenticate users:
- Quickstarts are the easiest way to implement authentication. They show you how to use Universal Login and Auth0’s language- and framework-specific SDKs.
- The Auth0 Authentication API is a reference for those who prefer to write code independently. First, identify which flow to use. Then follow the instructions to implement that flow.
Example POST to token URL
Parameters
| Parameter Name | Description |
|---|---|
grant_type | Set this to “client_credentials”. |
client_id | Your application’s Client ID. You can find this value on the application’s settings tab. |
client_secret | Your application’s Client Secret. You can find this value on the application’s settings tab. To learn more about available application authentication methods, read Application Credentials. |
audience | The audience for the token, which is your API. You can find this in the Identifier field on your API’s settings tab. |
organization | Optional. The organization name or identifier you want the request to be associated with. To learn more, read Machine-to-Machine Access for Organizations. |
Response
You receive anHTTP 200 response with a payload containing access_token, token_type, and expires_in values:
Validate your tokens before saving them. To learn how, read Validate ID Tokens and Validate Access Tokens.
Control access token audience
When a user authenticates, you request an access token and include the target and scope of access in your request. The application uses the/authorize endpoint to request access. This access is both requested by the application and granted by the user during authentication
You can configure your tenant to always include a default audience.
| Token Use | Format | Requested Audience | Requested Scope |
|---|---|---|---|
| /userinfo endpoint | Opaque | tenant name ({yourDomain}), no value for audience parameter, no audience parameter passed | openid |
| Auth0 Management API | JWT | Management API v2 identifier (https://.auth0.com/api/v2/) | |
| Your own custom API | JWT | The API Identifier for your custom API registered in the Auth0 Dashboard |
Multiple audiences
If you specify an audience of your custom API identifier and a scope ofopenid, then the resulting access token’s aud claim will be an array rather than a string, and the access token will be valid for both your custom API and for the /userinfo endpoint. Your access tokens can only have two or more audiences if you use a single custom API as well as Auth0’s /userinfo endpoint.
Custom domains and the Auth0 Management API
Auth0 issues tokens with an issuer (iss) claim of whichever domain you used when requesting the token. Custom domain users can use either their or their Auth0 domain.
For example, suppose you have a custom domain, https://login.northwind.com. If you request an access token from https://login.northwind.com/authorize, your token’s iss claim will be https://login.northwind.com/. However, if you request an access token from https://northwind.auth0.com/authorize, your token’s iss claim will be https://northwind.auth0.com/.
If you request an access token from your custom domain with the target audience of the Auth0 , then you must call the Auth0 Management API from your custom domain. Otherwise your access token is considered invalid.