The audience for the management api in the “/oauth/token” request needs to be the
Management API identifier.
On your dashboard if you go to APIs-> Auth0 Management API → API Audience is mentioned next to the name.
I’m already using this name to get token (https://*****.auth0.com/oauth/token)
{
“client_id”: “”,
“client_secret”: “”,
“audience”: “auth0.mydomain.com”,
“grant_type”: “client_credentials”
}
And successfully get the JWT.
But this token doesn’t work with this request: GET/https://*****.auth0.com/api/v2/users, it gives
Please find the screen shot which shows the audience for the management API, you will need to use the complete link as the API audience as shown not just the domain.
HI @JetMatt and @sidharth.chaudhary : I know this post is old but please what was your way around the mentiomned issue?
I have 2 Apis- The Management APi and MyDomainAPi. I added this custom API because the management APi does not have the create/delete users Scope, so I decided to create 1 so I could add those scopes.
Using my new APi’s audience, I was able to get Token via the ManagementAP’s /token url.
But when I tried either POST or GET on GET/https://*****.auth0.com/api/v2/user
I get the error message Bad Audiece-MyCustomAPI Identifier- Is there anything I am doing wrong?
Oh Yes. I guess my assumption was wrong. I did not need to create a new DomainAPI. All I needed to do was to use my ManagementAPI’s audience to generate token and use the same token to POST or GET users.
I am in a similar situation here- when trying to get a list of users using the Management API’s identifier as the audience, the scopes returned in the access token do not contain read:users (even though I requested that scope when logging in).
When I change the audience URL to my custom API identifier, I DO get the read:users scope back in the access token-- however, using this access token to try to fetch the list of users, then I get the “bad audience” error. Any advice?
I have the same problem on my side, I catch token with mydomain.auth0.com but when I use Managed API to fetch read:user nor read:roles it sends me "message": "Bad audience: http://Customapi
I have set all that is needed from you posts and it should work by your docs. Can you tell me what can be a issue here?
Everything looks good here except the audience param in your request to /oauth/token needs to be https://your_domain/api/v2/, the identifier of your tenants Management API. If you navigate to the API itself in your tenant dashboard Applications → API → Management API you should see a “Test” tab. This will allow you to choose an application with permission to test this flow. You should be able to extract the token from this page and use it against your Management API. If you copy the token and inspect it at jwt.io you’ll see that it has the correct audience.
It is difficult for me to consider this as the accepted answer while the documentation literally stated that you could create a custom API with permissions.
We were facing the exact same problem and, looking at documentation, we found that the we´re using a different URL.
Instead of https://***-hom.auth0.com/api/v2/
we used https://***-hom.us.auth0.com/api/v2/.
