Auth0 API Token verification failing

We are currently using angular-lock (for our angular app) and ASP.NET Web API (OWIN) (in our API app). Currently we are able to generate a user token in the app but when we try to run it through our API we get a deny for the token. We tried generating a token using the client_id and client_secret of the API app and that token verified just fine (as it should).

The audience is set in the angular app to the audience defined in the auth0 dashboard for the API app. Our angular app also has the client Id of the angular app and domain for our authorization namespace configured properly.

We can’t figure out why our tokens aren’t authorizing in the API. If I have left out any information which is pertinent to resolving this issue let me know and I will update the question. Any help is appreciated.


We are using angular-lock on our app side and we set the audience to the unique identifier for our API. But when we verify the token on it says the audience is the app’s client ID. Is there something wrong here or is that how its supposed to be?

Also after setting the verbose logs on we get the following error:
The string needs to be in compact JSON format, which is of the form: '..'. at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ReadToken(String tokenString) at Microsoft.Owin.Security.Jwt.JwtFormat.Unprotect(String protectedText)
What could be causing this error? We have verified both app and API are using RS256.

Take a look at our WebAPI (OWIN) Quickstart, which outlines how to setup the middleware to handle token verification:

A common reason that causes this issue is if your middleware is configured for HS256 tokens, whereas your tokens are signed with RS256.


We have added a troubleshooting section in our .NET WebAPI (OWIN) Quickstart. Please take a look through this to ensure you have covered the common issues faced with token verification in APIs:

Yep we’re using that code exactly and we confirmed both are using RS256 but tokens are still not validating.

Please take a look at the troubleshooting doc in my modified answer, which we have added to our Quickstart.