401 "Bad audience:' when trying to access Management API

Hi everybody, I was trying to find answer in previous questions, but it looks like there is no one recipe, so asking here:-)

So what I need: I nee to connect to management API to modify user’s metadata,

What I’m doing:

  1. I’m creating JWT:
    POST/https://[tenant].auth0.com/oauth/token
    {
    “client_id”: “ID”,
    “client_secret”: “SEC”,
    “audience”: “auth0.[domain].com”,
    “grant_type”: “client_credentials”
    }
    and got this response:
    {
    “access_token”: “[access_token]”,
    “scope”: “read:clients”,
    “expires_in”: 86400,
    “token_type”: “Bearer”
    }

  2. Trying to use this token to access:
    GET/https://[tenant].auth0.com/api/v2/users
    and got this message:

{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Bad audience: auth0.[domain].com”
}

so what I’m ding wrong? can anybody to advice? Thanks in advance!

1 Like

Hey @JetMatt, Welcome to the Auth0 Community!

The audience for the management api in the “/oauth/token” request needs to be the
Management API identifier.
On your dashboard if you go to APIs-> Auth0 Management API → API Audience is mentioned next to the name.

Do check and let me know how you go!

Regards,
Sid

1 Like

Hi @sidharth.chaudhary - I see this name (auth0.mydomain.com), I do not understand where should use it?

I’m already using this name to get token (https://*****.auth0.com/oauth/token)
{
“client_id”: “”,
“client_secret”: “”,
“audience”: “auth0.mydomain.com”,
“grant_type”: “client_credentials”
}

And successfully get the JWT.

But this token doesn’t work with this request: GET/https://*****.auth0.com/api/v2/users, it gives

{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Bad audience: auth0.mydomain.com
}
is see that audience from response (auth0.mydomain.com) is different from the real one auth0.mydomain.com

have no idea why. Please advice.

Hey, Sid, you suggestion didn’t help. Why you marked your answer as solutions? Can you answer my question and help me get access to the API?

1 Like

Hey @JetMatt, the Audience needs to be the API identifier not the Auth0 domain (auth0.mydomain.com)

Please find the screen shot which shows the audience for the management API, you will need to use the complete link as the API audience as shown not just the domain.

Let me know how you go!

Regards,
Sid

HI @JetMatt and @sidharth.chaudhary : I know this post is old but please what was your way around the mentiomned issue?

I have 2 Apis- The Management APi and MyDomainAPi. I added this custom API because the management APi does not have the create/delete users Scope, so I decided to create 1 so I could add those scopes.
Using my new APi’s audience, I was able to get Token via the ManagementAP’s /token url.

But when I tried either POST or GET on GET/https://*****.auth0.com/api/v2/user

I get the error message Bad Audiece-MyCustomAPI Identifier- Is there anything I am doing wrong?

2 Likes

Where you able to get a solution?

Oh Yes. I guess my assumption was wrong. I did not need to create a new DomainAPI. All I needed to do was to use my ManagementAPI’s audience to generate token and use the same token to POST or GET users.

2 Likes

Glad you have figured it out and thanks for sharing with the rest of community!

I am in a similar situation here- when trying to get a list of users using the Management API’s identifier as the audience, the scopes returned in the access token do not contain read:users (even though I requested that scope when logging in).

When I change the audience URL to my custom API identifier, I DO get the read:users scope back in the access token-- however, using this access token to try to fetch the list of users, then I get the “bad audience” error. Any advice?

1 Like

I have the same problem on my side, I catch token with mydomain.auth0.com but when I use Managed API to fetch read:user nor read:roles it sends me "message": "Bad audience: http://Customapi
I have set all that is needed from you posts and it should work by your docs. Can you tell me what can be a issue here?

I have the same issue. I am trying to create a user via API. Can someone have a look at what I might be doing wrong?

Im making the first request to get a token. and that works fine

Im then using that token to try and create a user

I get back an error “Bad audience”

Hi there @andynbruce welcome to the community!

Everything looks good here except the audience param in your request to /oauth/token needs to be https://your_domain/api/v2/, the identifier of your tenants Management API. If you navigate to the API itself in your tenant dashboard Applications → API → Management API you should see a “Test” tab. This will allow you to choose an application with permission to test this flow. You should be able to extract the token from this page and use it against your Management API. If you copy the token and inspect it at jwt.io you’ll see that it has the correct audience.

Here’s what the “Test” page looks like:

Hope this helps!

1 Like

It is difficult for me to consider this as the accepted answer while the documentation literally stated that you could create a custom API with permissions.

Add API Permissions.

The dashboard generates a test token which doesn’t work but then the support desk said you should use the system-generated audience.

I was just testing how to delete a user using the management API v2.

1 Like

I’m still getting “Bad audience” error even with the correct audience. I got the access token directly from APIs > Test. Can someone please help?

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Bad audience: https://[MY_TENANT].auth0.com/api/v2/"
}
curl --location --request POST 'https://login.auth0.com/api/v2/client-grants' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer [ACCESS_TOKEN] \
--data-raw '{"client_id":"[CLIENT_ID]","audience":"https://[MY_TENANT].auth0.com/api/v2/","scope":["identify guilds email guilds.join"]}'
2 Likes

We were facing the exact same problem and, looking at documentation, we found that the we´re using a different URL.
Instead of
https://***-hom.auth0.com/api/v2/
we used
https://***-hom.us.auth0.com/api/v2/.

Note the additonal .us in the url.

That solved our problem. Hope it helps.

1 Like

Try request with ‘.us’ in url…

Ex:{domain}.us.auth0.com/api/v2/…

Thanks for sharing @amelco.herman ! I believe this is the solution but we’ll let @michaeldavidbrant confirm :smile:

Sharing for future reference: