When using the Test option in the APIs section the access token in question is guaranteed to be suitable to the selected API which means unless the API is incorrectly configured the call will succeed.
The above is an excellent way to troubleshoot that the API is correctly configured. In your case doing the call with the Test access token it works so it’s highly likely that the issue is not in the API.
By exclusion the problem should be in the client application; in particular, for such an error condition the most probable cause is that you’re either:
- sending the wrong token; it should be the access token that is sent to the API, not the ID token.
- sending an access token that is not suitable for the API in question.
Based on the information provided you seem to be in the second option. If you take a look at the quickstart step you mentioned you’ll notice that there is a call to an
audience method that sets the audience associated with the authentication request. When you want the client application to obtain an access token suitable to call your own API that you defined in the dashboard then you must set the audience to match the identifier of the API you configured. In my opinion the quickstart does not go over this in sufficient detail so it likely needs to be revisited/updated, but based on what you shared you’re sending the wrong audience and as a consequence obtaining an access token not suitable to your API.