Access token when obtained from iOS results in 401 unauthorized while from react-admin is ok

I have a nestJS backend, a react-admin front-end and a mobile app written in swift. When I access the backend from the react-admin front end I am able to successfully login and make requests to the backend. However, with the iOS app, I am able to successfully login but am unable to make requests. Requests made result in 401 unauthorized. I have posted this issue on stack overflow as well with screenshots and code snippets.

The swift code used is as follows:

let path = "\(baseURL)\(endpoint.rawValue)"
guard let url = URL(string: path)
else { preconditionFailure("Bad URL") }
var headers: [String:String] = [:]
headers["Content-Type"] = "application/json"
// if access token is set then set Authorization headers
if (accessToken != nil) {
    headers["Authorization"] = "Bearer \(accessToken!)"
    print("Bearer \(accessToken!)")
var request = URLRequest(url: url)
request.httpMethod = "\(method)"
request.allHTTPHeaderFields = headers
// check if body exists
if (body != nil) {
    request.httpBody = body!

let dataTask = URLSession.shared.dataTask(with: request) {
    (data, response, error) in
    guard error == nil
    else { completion(.failure(.serverError)); return }
    do {
        guard let data = data
        else { completion(.failure(.serverError)); return }
        guard let object : [[String: AnyObject]] = try JSONSerialization.object(with: data) as? [[String: AnyObject]]
        else {
            print("Unable to convert from data")
        guard let json = try? object, options: .prettyPrinted)
        else {
            print("Unable to prettify")

        guard let jsonString = String(data: json, encoding: .utf8)
        else {
            print("Unable to convert to string")
         print("JSON: \(jsonString)")
     } catch {

baseURL is a string that points to my nestJS backend. endpoint is an enum of endpoints, for example \user

Using Proxyman I am able to confirm that the endpoint is hit with the correct headers. Screenshot below.

Additionally, using postman I am able to successfully login and also make a get request to protected data. Screenshot below.

I am using Auth0 1.0 for swift (installed via pods). Any pointers to what might be the problem would be greatly appreciated.

The problem was that audience was set when requesting access tokens from the react-admin, while I did not include this in the swift login implementation.

Decoding the JWT on and the following thread lead to this conclusion.

Adding the audience in the following code resulted in the correct jwt being returned and successful access to backend.

        password: self.password,
        realm: "Username-Password-Authentication",
        audience: "<YOUR_AUDIENCE>",     // <- This is what I forgot
        scope: "openid profile email"
1 Like

Perfect! Glad to hear that and thanks for sharing with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.