> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to troubleshoot invalid token errors.

# Troubleshoot Invalid Token Errors

## Parsing an HS256-Signed ID Token Without an access token

**Error Message**: The <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> cannot be validated because it was signed using the HS256 algorithm and public applications (such as a browser) can’t store secrets.

### Causes

Beginning with **auth0.js version 9** and **Lock version 11**, when ID tokens are signed with HS256, they are discarded and a call to `/userinfo` is made to retrieve user information.

Calling `/userinfo` requires an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip>. If you don't ask for an access token when authenticating, you will receive the following error:
`The id_token cannot be validated because it was signed with the HS256 algorithm
and public applications (like a browser) can’t store secrets.
Please read the associated doc for possible ways to fix this.`

### Fixes

There are two ways to fix the error:

1. **(RECOMMENDED)** Change the application signature algorithm to RS256 instead of HS256.
2. Change the value of your `responseType` parameter to `token id_token` (instead of the default), so that you receive an access token in the response.

To change the application signature algorithm to RS256 instead of HS256:

1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the name of the application to view.
2. Scroll to the bottom of the **Settings** page, and select **Show Advanced Settings**.
3. Select the **OAuth** view, change the value of **JsonWebToken Signature Algorithm** to **RS256**, and select **Save Changes**.

If you proceed with this option and you are using the ID token to call your APIs, be sure to change your server code so that it validates tokens using the RS256 algorithm instead of HS256. Note that using ID tokens to call APIs is not recommended.

You can decode, verify and generate <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWTs">JWTs</Tooltip> using the [JWT Tool](https://jwt.io/).
