Guide Updated

Auth0 JWT Issuer & Claims

Verify Auth0 JWTs. Auth0's issuer, JWKS URL, RS256 default signing, and the azp, scope, permissions claims explained with validation rules and code examples.

Auth0 issues JWTs for OAuth 2.0 and OpenID Connect. ID tokens and access tokens are both JWTs, signed with RS256 by default. The issuer is your Auth0 domain: https://YOUR_DOMAIN.auth0.com. Auth0 publishes its JWKS at /.well-known/jwks.json and its OIDC discovery document at /.well-known/openid-configuration.

Issuer details

Property Auth0
Issuer (iss)https://YOUR_DOMAIN.auth0.com
JWKS URLhttps://YOUR_DOMAIN.auth0.com/.well-known/jwks.json
OIDC discoveryhttps://YOUR_DOMAIN.auth0.com/.well-known/openid-configuration
Signing algorithmRS256 (default)

Issuer-specific claims

Claims you will encounter in Auth0 JWTs and what they mean for this issuer:

Claim Meaning for this issuer
isshttps://YOUR_DOMAIN.auth0.com/: your Auth0 domain (with trailing slash). Validate against your exact domain.
subThe user's Auth0 user ID (e.g. auth0|1234567890, google-oauth2|abc123). Stable across the connection that authenticated the user.
audYour API identifier (the Audience you configured for your API in the Auth0 dashboard) for access tokens, or your client ID for ID tokens. Validate aud matches the expected value for each token type.
azpAuthorized party: the client ID the token was issued to. Present when multiple clients share an audience. Validate azp for first-party clients when present.
scopeSpace-separated scopes granted to the token. Check these for scope-based authorization.
permissionsPermissions granted via Auth0's API Authorization (RBAC). Array of strings like 'read:users'. Enable RBAC in your API settings to populate this.
gtyGrant type: how the token was issued (password, refresh-token, client-credentials). Useful for audit logging.

Verifying tokens from this issuer

Fetch public keys from https://YOUR_DOMAIN.auth0.com/.well-known/jwks.json. Hardcode algorithms: ['RS256'] (Auth0's default). Validate iss against your Auth0 domain and aud against your API identifier. Auth0 rotates signing keys periodically: use a JWKS client that caches and refetches on unknown kid. For RBAC, check the permissions claim after verification.

Frequently asked questions

  • What algorithm does Auth0 use to sign JWTs?

    Auth0 defaults to RS256 for both ID tokens and access tokens. It publishes public keys at /.well-known/jwks.json. You can configure HS256 per API, but RS256 is the default and recommended choice: it lets resource servers verify tokens without sharing the signing key. Hardcode algorithms: ['RS256'] in your verification calls.

  • What is the Auth0 JWT issuer URL?

    The iss claim is your Auth0 domain with a trailing slash: https://YOUR_DOMAIN.auth0.com/. Validate iss against your exact domain. The JWKS endpoint is https://YOUR_DOMAIN.auth0.com/.well-known/jwks.json and the OIDC discovery document is at /.well-known/openid-configuration.

  • How do I check permissions in an Auth0 JWT?

    Enable RBAC (Role-Based Access Control) in your API settings in the Auth0 dashboard. Auth0 then includes a permissions claim (an array of strings like 'read:users') in access tokens. After verifying the signature and claims, check that the required permission is present in the permissions array. The scope claim (space-separated scopes) is the older method; permissions is the RBAC-enforced one.

Related