All posts
auth0securitynextjs

Auth0 + Next.js: id_token vs access_token for Backend APIs

Quang Tran D.'s avatarQuang Tran D.

Auth0 issues both id_tokens and access_tokens, but their purposes differ. This article clarifies the distinction and explains why some architectures send id_tokens to backend APIs while others use access_tokens. We cover OIDC flows, audience configuration, API Gateway JWT authorizers, and how to validate tokens in Lambda functions. The article includes a worked example using Next.js with @auth0/nextjs-auth0 and an API Gateway HTTP API with Auth0 as the JWT issuer. Common pitfalls like clock skew, key rotation, and role-based access control are also covered.