401 error when calling a protected API

I’m having a pretty persistent issue that when I try and hit a protected API, I’m getting a 401 error.

I have a SPA and am using the auth0-react package.

Auth0Provider code:

const audience = process.env.SERVER_URL;

        redirect_uri: window.location.origin,
        useRefreshTokens: true,
      <App />

Access Token Fetch code:

import { useAuth0 } from "@auth0/auth0-react";
  const { getAccessTokenSilently } = useAuth0();

const accessToken = await getAccessTokenSilently({
          authorizationParams: {
            audience: process.env.SERVER_URL,

Client code to call the API

        const options = {
          method: "GET",
          url: "/api/heaList",
          headers: {
            "content-type": "application/json",
            Authorization: `Bearer ${accessToken}`,

        const heaListResponse = await axios.request(options);

Server validation code:

const { auth } = require("express-oauth2-jwt-bearer");

const jwtCheck = auth({
  audience: process.env.SERVER_URL,
  issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}/`,
  tokenSigningAlg: "RS256",


Application settings:

  • Application Type: Single Page Application
  • Token Endpoint Authentication Method: None
  • Allow Cross-Origin Authentication: True
  • Rotation: True
  • Reuse Interval: 10
  • Absolute Expiration: True
  • Absolute Lifetime: 2592000
  • Inactivity Expiration: True
  • Inactivity Lifetime: 1296000

API Settings:

  • Token Expiration: 86400
  • Token ExpirationFor Browser Flows: 7200
  • Signing Algorithm: RS256
  • Allow Skipping User Consent: True

Rest of settings are false

I have verified the following through debugging:

  • The process.env.SERVER_URL matches the audience of the protected server.

  • API is using RS256 signing algorithm

  • The access code that is produced is valid when I check with jwt.io. It is not expired, the “iss” matches the Auth0 domain, the API audience is included in the “aud” array.

I’m pretty lost lost as to what to try next, so any help is appreciated.

Hi @daniel.meyer,

Welcome to the Auth0 Community!

Is there a more verbose error message? Sometimes the error will include what aspect of the request/token is causing the 401.

Could you please provide a sample token so we can take a look? You can omit sensitive data.


Sure thing. I’ve pasted the message below:

Bearer realm="api", error="invalid_token", error_description="Failed to fetch authorization server metadata"

Sample token is below:



This error suggests that your API isn’t able to request the auth metadata to validate the token.

Can you confirm the issuerBaseURL is correct? You can send it to me in a DM and I’ll have a look.

Just direct messaged you

We’re running into a similar issue but only when deploying the API with IISNode on a Windows IIS server.

We’re using the same RS256 signing algo and have confirmed that this works via localhost.

The problem comes up when we host it with a domain name served to us via the IIS Server, and try to access a protected API route using the domain name.

When running a localhost version of said API and trying to hit it via http://localhost:3001, it accepts the token and makes the authentication call⁠.


I never heard a final resolution on this, but I think it was the result of an error in the issuer base url.

If that’s not the issue with you, please open a new topic in the #help category.

1 Like