Audiences in Jwt are not allowed

sahil2 · March 12, 2024, 4:15pm

I am trying to follow the Client Credentials flow. I am able to get an access token using

curl --request POST \
  --url <domain>/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"<client_id>","client_secret":"<client_secret>","audience":"<domain>/api/v2/","grant_type":"client_credentials"}'

When I try to use the generated Access Token, I get 403 Audiences in Jwt are not allowed

Question: Why does the generated access_token has aud claim set to <domain>/api/v2 instead of the client_id? The usual behaviour that we see when using a UI application.

tyf · March 12, 2024, 9:51pm

Hey there @sahil2 welcome to the community!

How exactly are you attempting to use this access token? The audience of <domain>/api/v2 is specifically used to get Management API access tokens. The audience claim will always be an API identifier, either your own registered API or the Management API.

system · March 26, 2024, 9:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
401 - Bad Audience Help management-api , users	3	1843	July 5, 2023
401 "Bad audience:' when trying to access Management API Help management-api	19	19252	October 5, 2022
Changing audience field for JWT authentication response Help login-experience , new-universal-login-experience	5	3040	January 27, 2023
Making a request for id token in oauth/token with audience returns unexpected aud value JWT.io	1	2413	August 5, 2022
Bad Audience when using a custom API JWT.io jwt , api	12	25847	September 3, 2019

Audiences in Jwt are not allowed

Related topics