Access Token Profiles
Access token profiles define the format and claims of access tokens issued for an API. Auth0 supports the following access token profiles, also known as token dialects:
Auth0 token profile, or the default access token profile
RFC 9068 token profile, or the access token profile that follows the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068)
Token Profile | Description | Token Dialect |
---|---|---|
Auth0 token profile | The default token profile. Issues access tokens formatted as a JSON Web Token (JWT). | The Auth0 token profile is associated with two token dialects:
|
RFC 9068 token profile | Issues access tokens formatted as a JSON Web Token (JWT) following the IETF standard for encoding OAuth 2.0 Access Tokens in JWT format. | The RFC 9068 token profile is associated with two token dialects:
|
While both access token profiles issue JWTs, the JWTs have different token formats. Both access token profiles can enable Role-Based Access Control (RBAC) and add the permissions claim to the access token.
To configure the access token profile for an API, read Configure Access Token Profile.
Auth0 profile sample token
{
"iss": "https://my-domain.auth0.com/",
"sub": "auth0|123456",
"aud": [
"https://example.com/health-api",
"https://my-domain.auth0.com/userinfo"
],
"azp": "my_client_id",
"exp": 1311281970,
"iat": 1311280970,
"scope": "openid profile read:patients read:admin",
"my_custom_claim": "my_custom_value"
}
Was this helpful?
RFC 9068 profile sample token
{
"iss": "https://my-domain.auth0.com/",
"sub": "auth0|123456",
"aud": [
"https://example.com/health-api",
"https://my-domain.auth0.com/userinfo"
],
"client_id": "my_client_id",
"exp": 1311281970,
"iat": 1311280970,
"jti":"73WakrfVbNJBaAmhQtEeDv",
"scope": "openid profile read:patients read:admin",
"my_custom_claim": "my_custom_value"
}
Was this helpful?
Token profile differences
The Auth0 profile and RFC 9068 profile issue JWTs that have different token formats. The main differences are:
The RFC 9068 profile incorporates the
jti
claim, providing a unique identifier for the JWT.The Auth0 profile uses the
azp
claim to represent the client ID whereas the RFC 9068 profile uses theclient_id
claim.The RFC 9068 profile does not use the
gty
claim, which is an Auth0-specific claim that represents the authentication flow.
Header
Data | RFC 9068 Profile | Auth0 Profile |
---|---|---|
type |
at+jwt |
JWT |
alg |
Signing algorithm, for example, RS256 |
Signing algorithm, for example, RS256 |
Claims
Claim | Description |
Present in RFC 9068 Profile |
Present in Auth0 Profile |
Sample Claim |
---|---|---|---|---|
iss |
Issuer identifier for the Auth0 tenant issuing the access token. | Yes | Yes | Tenant domain: https://tenant.auth0.com/ |
sub |
The subject claim indicates which user or application the access token was issued for:
|
Yes | Yes |
|
aud |
The audience claim defines the intended recipient of the access token. | Yes | Yes | "https://test-server/api" OR [ "https://test-server/api", "https://test.local.dev.auth0.com/userinfo" ] |
client_id |
Client ID of the application that requests the access token. | Yes | No | Client ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja |
azp |
Client ID of the application that requests the access token. | No | Yes | Client ID: K1AUPhZq8mRi0Q0pjhkfu1D7y6KjDQja |
exp |
The expiration time on or after which the access token must not be accepted for processing. | Yes | Yes | Epoch timestamp in seconds: 1516238022 |
iat |
Timestamp at which the access token was issued. | Yes | Yes | Epoch timestamp in seconds: 1516239022 |
scope |
Scope of the issued access token. To learn more, read Scopes. | Yes | Yes | "openid profile offline_access" |
jti |
Unique identifier for the access token. | Yes | No | Unique string identifier: aBv9njtYfwL4xfPZyEwz9m |
gty |
Grant type that the application used to request the access token. Only present for password and refresh_token grant types. |
No | Case-specific | Grant type: password |
permissions |
Permissions available to a user or application depending on their role. Included only when the Enable RBAC and Add permissions in the Access Token settings are enabled for the API. To learn more, read Enable Role-Based Access Control for APIs. | Case-specific | Case-specific | [ "create:bar", "create:foo", "read:bar", "read:foo" ] |
org_id |
Organization ID. Added when a user has authenticated through an Organization. To learn more, read Work with Tokens and Organizations. | Case-specific | Case-specific | Organization ID: org_9ybsU1dN2dKfDkBi |
org_name |
Organization Name. Added when a user has authenticated through an Organization and the Organization Names in Authentication API setting is enabled. To learn more, read Use Organization Names in Authentication API. | Case-specific | Case-specific | Organization Name: my_organization |
authorization_details |
Authorization details used in Rich Authorization Requests (RAR). To learn more, read Authorization Code Flow with Rich Authorization Requests. | Case-specific | Case-specific | { "type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}, "destinationAccount": "xxxxxxxxxxx9876", "beneficiary": "Hanna Herwitz", } |
cnf |
Confirmation claim that is supported for mTLS Token Binding. | Case-specific | Case-specific | {"x5t#S256":"A4DtL2JmUMhAsvJj5tKyn64SqzmuXbMrJa0n761y5v0"} |
Custom claims | Custom claims can be added to access tokens via Actions. To learn more, read Create Custom Claims. | Case-specific | Case-specific | "favorite_color": “blue” |