Auth0_api_audience credential not being passed in Rails, yet things work

I was following to set up an application that functions purely as an api, from which resources can be requested from for authenticated and authorized users. The requests are happening from a React SPA.
I’m confused about the following line in this section:

aud: Rails.application.secrets.auth0_api_audience

In the whole article, it is never mentioned to add this credential to the Rails credentials.yml.enc file. Nonetheless the authentication and authorization works correctly. Why is that? Is this credential not necessary? Does this have any security compromises?

Thank you

1 Like

The audience is the uri of your API. In the quickstart they use https://quickstarts/api as the identifier for example. In this example it looks like that param is taken from the .env file as AUTH0_AUDIENCE. You may have added it there if you are following the tutorial.

More specifically, the function that you mention is for the decode and verification of the token. If it was incorrect, then the signature of the token would not match and would not be verifiable.

Hope this helps!


Hi Dan.

Completely agree with you, which is why I expected the tutorial to mention that line somewhere, but it didn’t. It’s nowhere mentioned to add this credential to the env file or similar, which is why I haven’t done so so far, yet the app works fine, which surprised me.


1 Like

I just tried it. It will fill in that .env automatically if you use the Download Sample button. You can always check to see if it is filled in correctly. Otherwise it is mentioned at the top of the GitHub repo README here.

I think it is purposefully omitted from the quickstart page because it will be auto-filled when you select the api you are downloading the sample for. If there something that is misleading or unclear, please let me know and we can work on it. Thanks.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.