Auth Server and Audience Base URL can be the same?

I’m currently investigating a legacy project and came across an unusual snippet where the authentication server base URL and the audience base URL are identical. My understanding is that this is typically not allowed unless we are self-hosting Auth0, which is not an option in this case. Are there any scenarios where the provided code could be valid?

export async function getOauthToken(): Promise<Objects.Auth0TokenPayload> {
    const options = {
        method: 'POST',
        url: 'https://' + authvalues.DOMAIN + '/oauth/token',
        headers: { 'content-type': 'application/json' },
        json : true,
        body: {
            client_id : authvalues.API_CLIENTID,
            client_secret : authvalues.API_CLIENTSECRET,
            audience : 'https://' + authvalues.DOMAIN + '/api/v2/',
            grant_type : 'client_credentials',

    const resp = as unknown;

More clue: nodejs that serve an angular front end (run in same port)

Thank you for your assistance.

Hey @aamuzakii welcome to the community!

This looks to me like code to obtain a management API access token for which is it valid as far as I can tell.

1 Like

Thanks, I just realize it. We cannot create API with identifier pointing to auth0 domain, but there’s already existing API using such identifier, i.e. the Managemen API

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.