You can choose which access token profile to use for your APIs: the Auth0 token profile or the RFC 9068 token profile. The access token profile you configure determines the format of the access tokens issued for the API. By default, Auth0 issues access tokens using the Auth0 token profile. The Auth0 token profile issues access tokens that are formatted as JSON Web Tokens (JWTs), which contain information about an entity in the form of claims. Auth0 also supports the RFC 9068 token profile. The RFC 9068 token profile issues access tokens formatted as JWTs following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more about the differences between these token profiles, read Access Token Profiles. When you register an API, you can select the access token profile in the Auth0 Dashboard. After you’ve registered the API, you can configure the access token profile anytime using the Management API and the Auth0 Dashboard.

Configure access token profile for an API

Auth0 DashboardManagement API
  1. Go to Dashboard > Applications > APIs and click the name of the API to view.
  2. Scroll to Access Token Settings and select the access token profile under JSON Web Token (JWT) Profile. The selected profile determines the format and claims of access tokens issued for the API. The supported values are Auth0 and RFC 9068. To read more about the difference between the two profiles, read Access Token Profiles.
  3. Click Save.
When using the Management API, we refer to access token profiles as token dialects. To configure your access token profile, set the token_dialect parameter for an API using the Management API. The following code sample makes a PATCH request to the Update a resource server endpoint: 
curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/resource-servers/API_ID' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"token_dialect": "TOKEN_DIALECT" }'
Replace the API_ID, MGMT_API_ACCESS_TOKEN, and TOKEN_DIALECT with their respective values, as described in the following table:
ParameterDescription
API_IDID of the API for which you want to update the token dialect.
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope update:resource_servers.
TOKEN_DIALECTDialect of the access token for the specified API. To learn more, read Token dialect options.

Token dialect options

Auth0 supports the following token dialects:
ValueDescription
access_tokenThe default Auth0 token profile generates an access token formatted as a JSON Web Token (JWT). To learn more, read Access Token Profiles.
access_token_authzThe default Auth0 token profile (access_token) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.
rfc9068_profileThe RFC 9068 token profile generates an access token formatted as a JWT following the IETF JWT Profile for OAuth 2.0 Access Tokens (RFC 9068). To learn more, read Access Token Profiles.
rfc9068_profile_authzThe RFC 9068 profile (rfc9068_profile) with the permissions claim. To learn more about RBAC permissions, read Enable Role-Based Access Control for APIs.