Audiences in Jwt are not allowed

sahil2 · March 12, 2024, 4:15pm

I am trying to follow the Client Credentials flow. I am able to get an access token using

curl --request POST \
  --url <domain>/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"<client_id>","client_secret":"<client_secret>","audience":"<domain>/api/v2/","grant_type":"client_credentials"}'

When I try to use the generated Access Token, I get 403 Audiences in Jwt are not allowed

Question: Why does the generated access_token has aud claim set to <domain>/api/v2 instead of the client_id? The usual behaviour that we see when using a UI application.

ty.frith · March 12, 2024, 9:51pm

Hey there @sahil2 welcome to the community!

How exactly are you attempting to use this access token? The audience of <domain>/api/v2 is specifically used to get Management API access tokens. The audience claim will always be an API identifier, either your own registered API or the Management API.

Topic		Replies	Views
401 - Bad Audience Get Help management-api , users	3	2043	July 5, 2023
Calling Management API fails with "Bad Audience" even though audience matches Management API identifier Get Help	6	4228	April 16, 2021
Access token JWT contains unrequested audience JWT.io auth0 , audience , custom-domain , access-token	2	4120	August 26, 2019
Auth0.js - not returning the correct audience Get Help jwt , javascript , audience	2	3953	March 2, 2018
Changing audience field for JWT authentication response Get Help login-experience , new-universal-login-experience	5	4275	January 27, 2023

Audiences in Jwt are not allowed

Related topics