Attempting to get a M2M service working with an API that also connects to a SPA

I would have imagined this to be pretty straightforward but since

  1. The audience within the API has to be the client id (SPA Client Id) when the SPA accesses the API and…
  2. The audience has to be the Identifier of the API when the M2M service accesses the API.

I can’t see how this can work since the audiences need to be different for when communicating with the SPA and communicating with the M2M service.

Any help would be really appreciated,

Here are the 3 places I set the tokens which is my best guess but it doesn’t work.

From within the service:

var request = new RestRequest(Method.POST);
request.AddHeader(“content-type”, “application/json”);
request.AddParameter(“application/json”, “{“client_id”:”"+serviceClientId+ “”,“client_secret”:""+serviceClientSecret+ “”,“audience”:""+apiId+ “”,“grant_type”:“client_credentials”}", ParameterType.RequestBody);
var response = portalClient.Execute(request);
return JsonConvert.DeserializeObject(response.Content).access_token;

From within the API

AddJwtBearer(options =>
    options.Authority = domain;
    options.Audience = spaId;

    options.Events = new JwtBearerEvents
        OnTokenValidated = OnTokenValidatedSetUser

From within the SPA.

auth0 = new auth0.WebAuth({
    domain: domain,
    clientID: spaId,
    redirectUri: “http://localhost:3000/callback”,
    audience: apiId,
    responseType: ‘token id_token’,
    scope: ‘openid email profile etc’
1 Like


Audience is who or what the token is intended for.

  1. If you issue a token where the audience is the client_id, that token won’t work for the API because it was not issued with the API as audience.
  2. It would be possible to do it with client_credentials. The audience that you request with the flow is the audience that you will get back in the token. M2M Applications should only use client_credentials flow authentication.

Also, we have these documents that can be helpful:

Have a great weekend!