Audiences in Jwt are not allowed

sahil2 · March 12, 2024, 4:15pm

I am trying to follow the Client Credentials flow. I am able to get an access token using

curl --request POST \
  --url <domain>/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"<client_id>","client_secret":"<client_secret>","audience":"<domain>/api/v2/","grant_type":"client_credentials"}'

When I try to use the generated Access Token, I get 403 Audiences in Jwt are not allowed

Question: Why does the generated access_token has aud claim set to <domain>/api/v2 instead of the client_id? The usual behaviour that we see when using a UI application.

tyf · March 12, 2024, 9:51pm

Hey there @sahil2 welcome to the community!

How exactly are you attempting to use this access token? The audience of <domain>/api/v2 is specifically used to get Management API access tokens. The audience claim will always be an API identifier, either your own registered API or the Management API.

system · March 26, 2024, 9:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.