> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to validate an access token.

# Validate Access Tokens

An <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> is meant for an API and should be validated only by the API for which it was intended.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Identity Provider (IdP) access tokens do not require validation. Pass the IdP access token to the issuing IdP to handle the validation. For more information, see [Identity Provider Access Tokens](/docs/secure/tokens/access-tokens/identity-provider-access-tokens) for details.
</Callout>

If any of these checks fail, the token is considered invalid, and the request must be rejected with `401 Unauthorized` result.

1. **Perform standard JWT validation.** Because the access token is a JWT, you need to perform the standard JWT validation steps. See [Validate JSON Web Tokens](/docs/secure/tokens/json-web-tokens/validate-json-web-tokens) for details.
2. **Verify token audience claims.** If you've performed the standard JWT validation, you have already decoded the JWT's payload and looked at its standard claims. The token audience claim (`aud`, array of strings) depends on the initial token request. The `aud` field could contain both an audience corresponding to your custom API and an audience corresponding to the `/userinfo` endpoint. At least one of the audience values for the token must match the unique identifier of the target API as defined in your [API's Settings](https://manage.auth0.com/#/apis) in the **Identifier** field. See [Get Access Tokens](/docs/secure/tokens/access-tokens/get-access-tokens) for details.
3. **Verify permissions (scopes).** Verify that the application has been granted the permissions required to access your API. To do so, you will need to check the `scope` claim (`scope`, space-separated list of strings) in the decoded JWT's payload. It should match the permissions required for the endpoint being accessed. For example, if your custom API provides three endpoints to read, create, or delete a user record, when you registered your API with Auth0, you created three corresponding permissions:

   1. `create:users` provides access to the `/create` endpoint
   2. `read:users` provides access to the `/read` endpoint
   3. `delete:users` provides access to the `/delete` endpoint

   In this case, if an application requests access the `/create` endpoint, but the access token's `scope` claim does not include the value `create:users`, then the API should reject the request.

## Learn more

* [Get Access Tokens](/docs/secure/tokens/access-tokens/get-access-tokens)
* [Use Access Tokens](/docs/secure/tokens/access-tokens/use-access-tokens)
* [Management API Access Tokens](/docs/secure/tokens/access-tokens/management-api-access-tokens)
* [Get Management API Access Tokens for Testing](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-testing)
* [Get Management API Access Tokens for Production](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production)
* [Token Best Practices](/docs/secure/tokens/token-best-practices)