Embedded Login Fails with Error: "AuthSdkError: Malformed token"
Oct 21, 2025
Okta Classic Engine
Okta Identity Engine
SDKs & Libraries
Overview
Frontend OIDC Applications (SPA) that rely on embedded logins (Widget or okta-auth-js) fail after a user completes all Authentication steps.
The error below is observed in the browser's dev console window:
AuthSdkError: Malformed token
at Object.i [as decode] (decodeToken.ts:28:11)
at handleOAuthResponse.ts:96:33
at f (regeneratorRuntime.js:72:17)
at Generator._invoke (regeneratorRuntime.js:55:24)
at Generator.next (regeneratorRuntime.js:97:21)
at r (asyncToGenerator.js:3:20)
at s (asyncToGenerator.js:22:9)
at asyncToGenerator.js:27:7
at new Promise (<anonymous>)
at asyncToGenerator.js:19:12Applies To
- Embedded Authentication
- Sign In Widget / okta-auth-js
- OIDC Applications
- JSON Web Encryption (JWE)
Cause
This error happens if the Custom Authorization Server used by the application has enabled Access Token Encryption.
Solution
Remove Token encryption for this Authorization Server, or point the application to an Authorization Server that does not enable encryption.
NOTE: JSON Web Encryption (JWE) of either access_token or id_token is not intended for public frontend applications. It requires the client to securely store a private key, which public applications are unable to do.
