Auth Not Working for Protected API - Query Param configuration missing? (Angular & Node)

Hey Auth0 Community,

I followed the quickstart guide via Youtube to set up an Angular app to use Auth0. Overall, it was extremely helpful.

My login/logout is working. My route guards are working.

My problem: My API call keeps returning a 401 Unauthorized and I can’t figure out why.

Angular Front-End
Node.js (using Express) backend
Mongo DB

My thought: My api call uses a query parameter that comes from a value in a drop down list in my Angular app. I am wondering if query params create an issue with the HTTP_Interceptor for authentication.

I haven’t found anything about this in the community forums or online, but to be honest, I may not be googling the right terms, as I am still pretty new to all of this.

Here are some screen shots to help explain.

Front End

My component calls to my service

I have a service that handles my http calls.

I think all my env, config and module files are set up correctly:


Note: I hardcoded my “allowedList:” property so I could test it, but the “Halo” value is the query param. If I leave it blank, I get the same result. This is where I think the issue is


Backend (Node)

My route is called via my Front end


Jwt file

When everything is served up and I select an item from the drop down and submit, this is what I see in the console

Here is my network calls

Let me know what you think or if you have questions. Thank you in advance!

Hi @EyeG,

Welcome to the Auth0 Community!

Have you tried to decode the token and see if it has all the necessary claims? You can post it here (with sensitive data redacted) and I’d be happy to take a look.

Hi @dan.woda !

Thanks for responding! I did decode it but to be honest, I am not totally sure what I am looking for once I do decode it.

Here is what I see in the network:


When I decode the Access_Token, here is what I get (not exactly sure what is sensitive v. what is not - but I know I can change some of this stuff if it is sensitive ):

When I decode the id_token

Hope that helps. Thanks your again for responding! Let me know if you have questions.

Does your audience and issuer match the settings you set up in your checkJwt method?


So here is what I see, not sure if this is right, which may be the issue. I’ll change the configuration of this afterward, so I don’t mind sharing.

Backend files (node)

Env file

check-jwt file

Front End files

Auth_Config.json file

Angular Env file

Network Calls/Tokens

access_token decoded

id_token decoded

It looks like your checkJWT method is repeating the https:// and trailing / for your issuer

i.e. https://


Great idea! I made the changes, but unfortunetly still getting a 401 unauthorized :frowning_face_with_open_mouth:

node env file

jwt file

Does the error give any more information? Usually it will say something like bad audience or invalid issuer


I didn’t see anything about audience or invalid issuer. At least not yet.

I’ve been trying to debug this morning, but still no luck. It just seems odd that my route guards are working, log in is working, but my API can’t find my token. I

Here are my errors in the conosle.

For the “error” property", I think this is the stack trace, and I am trying to follow it, but it seems like all the errors are stemming from a node-module.

<!DOCTYPE html>
<html lang="en">
<meta charset="utf-8">
<pre>UnauthorizedError: No authorization token was found<br> &nbsp; &nbsp;at middleware (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express-jwt\lib\index.js:79:21)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\route.js:137:13)<br> &nbsp; &nbsp;at Route.dispatch (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\route.js:112:3)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:281:22<br> &nbsp; &nbsp;at Function.process_params (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at Function.handle (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:174:3)<br> &nbsp; &nbsp;at router (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:47:12)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at urlencodedParser (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\body-parser\lib\types\urlencoded.js:91:7)</pre>

That error message is helpful.

Can you look at the network tab of devtools, and see if the token is being sent in the request?

You should see an Authorization header with the token. Like this:


Hmm, it’s not. I don’t really understand why tho. Is it the http interceptor? I’ll google a bit and if I figure it out before you reply, I’ll let you know

Here is the screen shot

More I am reading, a few questions come to mind that maybe will help.

  1. Is it an issue that I don’t have any permissions/scopes set?

  2. For query params, should I use an * at the end of the API end point as a wildcard? (ie: ${}?game=*)

To be honest, I am not very familiar with Angular httpInterceptors.

I notice in our Angular + API quickstart we have pass an object with additional parameters to the allowed list, as well as a wildcard at the end of the API uri, which I would think makes any request (including query params) valid. Can you try to format it like our example and see if that works?

httpInterceptor: {
    allowedList: [
        // Match any request that starts '' (note the asterisk)
        uri: '*',
        tokenOptions: {
          // The attached token should target this audience
          audience: '',

          // The attached token should have these scopes
          scope: 'read:current_user'


Ok, so I got it to work lol. All I did was add the * to the end of the URI. I didn’t add the scope, but maybe I’ll play around with it in the future.

Works like this if I remove everying after the ? (including the question mark).


And it works if I make the actually param a wildcard as well.


I guess the wildcard was the answer. For whatever reason the paramter wasn’t working when I hard coded it :man_shrugging:

I think I am good now. I definitely appreciate your help! I was banging my head against the wall for a few days there.

1 Like

Thanks for posting an update.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.