> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Describes the types of tokens related to identity and authentication and how they are used by Auth0.
# Tokens
export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
const [displayText, setDisplayText] = useState(children);
const [copyText, setCopyText] = useState(children);
const wrapperRef = React.useRef(null);
useEffect(() => {
let unsubscribe = null;
function init() {
if (!window.autorun || !window.rootStore) {
return;
}
unsubscribe = window.autorun(() => {
let processedChildrenForDisplay = children;
let processedChildrenForCopy = children;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
let displayValue = value;
if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
displayValue = value.substring(0, 3) + "*****MASKED*****";
}
processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
}
setDisplayText(processedChildrenForDisplay);
setCopyText(processedChildrenForCopy);
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
useEffect(() => {
if (!wrapperRef.current) return;
const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
let isOverriding = false;
const handleClick = e => {
const button = e.target.closest('[data-testid="copy-code-button"]');
if (!button || !wrapperRef.current.contains(button)) return;
isOverriding = true;
navigator.clipboard.writeText = text => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
return originalWriteText(copyText);
}
return originalWriteText(text);
};
setTimeout(() => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
}
}, 100);
};
const wrapper = wrapperRef.current;
wrapper.addEventListener('click', handleClick, true);
return () => {
wrapper.removeEventListener('click', handleClick, true);
if (navigator.clipboard.writeText !== originalWriteText) {
navigator.clipboard.writeText = originalWriteText;
}
};
}, [copyText]);
return
{displayText}
;
};
There are two types of tokens that are related to identity: ID tokens and access tokens.
## ID tokens
[ID tokens](/docs/secure/tokens/id-tokens) are [JSON web tokens (JWTs)](/docs/secure/tokens/json-web-tokens) meant for use by the application only. For example, if there's an app that uses Google to log in users and to sync their calendars, Google sends an ID token to the app that includes information about the user. The app then parses the [token's contents](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) and uses the information (including details like name and profile picture) to customize the user experience.
Be sure to [validate ID tokens](/docs/secure/tokens/id-tokens/validate-id-tokens) before using the information it contains. You can use a [library](https://jwt.io/#libraries-io) to help with this task.
Do **not** use ID tokens to gain access to an API. Each token contains information for the intended audience (which is usually the recipient). According to the OpenID Connect specification, the audience of the ID token (indicated by the **aud** claim) must be the client ID of the application making the authentication request. If this is not the case, you should not trust the token.
The decoded contents of an ID token looks like the following:
export const codeExample1 = `{
"iss": "http://{yourDomain}/",
"sub": "auth0|123456",
"aud": "{yourClientId}",
"exp": 1311281970,
"iat": 1311280970,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"gender": "female",
"birthdate": "0000-10-31",
"email": "janedoe@example.com",
"picture": "http://example.com/janedoe/me.jpg"
}`;
This token authenticates the user to the application. The audience (the **aud** claim) of the token is set to the application's identifier, which means that only this specific application should consume this token.
Conversely, an API expects a token with the **aud** value to equal the API's unique identifier. Therefore, unless you maintain control over both the application and the API, sending an ID token to an API will generally not work. Since the ID token is not signed by the API, the API would have no way of knowing if the application had modified the token (e.g., adding more scopes) if it were to accept the ID Token. See the [JWT Handbook](https://auth0.com/resources/ebooks/jwt-handbook) for more information.
## Access tokens
[Access tokens](/docs/secure/tokens/access-tokens) (which aren't always JWTs) are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions (specified by the **scopes** granted).
In the Google example above, Google sends an access token to the app after the user logs in and provides consent for the app to read or write to their Google Calendar. Whenever the app wants to write to Google Calendar, it sends a request to the Google Calendar API, including the access token in the HTTP **Authorization** header.
Access tokens must **never** be used for [authentication](/docs/authenticate). Access tokens cannot tell if the user has authenticated. The only user information the access token possesses is the user ID, located in the **sub** claim. In your applications, treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive tokens in a particular format.
Here is an example of an access token:
export const codeExample2 = `{
"iss": "https://{yourDomain}/",
"sub": "auth0|123456",
"aud": [
"my-api-identifier",
"https://{yourDomain}/userinfo"
],
"azp": "{yourClientId}",
"exp": 1489179954,
"iat": 1489143954,
"scope": "openid profile email address phone read:appointments"
}`;
Note that the token does not contain any information about the user besides their ID (**sub** claim). It only contains authorization information about which actions the application is allowed to perform at the API (**scope** claim). This is what makes it useful for securing an API, but not for authenticating a user.
In some situations, it may be desirable to put additional information about the user or other custom claims, besides their sub claim, in the access token to save the API from having to do extra work to fetch details about the user. If you choose to do this, bear in mind that these extra claims will be readable in the access token. To learn more, read [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
## Specialized tokens
There are three specialized tokens used in Auth0's token-based authentication scenarios:
* **Refresh tokens**: A token used to obtain a renewed access token without having to re-authenticate the user.
* **IDP access tokens**: Access tokens issued by identity providers after user authentication that you can use to call the third-party APIs.
* **Auth0 Management API access tokens**: Short-lived tokens containing specific claims (scopes) that allow you to call Management API endpoints.
## Learn more
* [JSON Web Tokens](/docs/secure/tokens/json-web-tokens)
* [ID Tokens](/docs/secure/tokens/id-tokens)
* [Access Tokens](/docs/secure/tokens/access-tokens)
* [Refresh Tokens](/docs/secure/tokens/refresh-tokens)
* [Token Storage](/docs/secure/security-guidance/data-security/token-storage)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)