Authorization fails when trying to fetch /api/v2/users/

I have the following flow for my single page web app:

        const access_token = await getAccessTokenSilently({
          audience: 'https://dev-********',
          scope: ['read:users', 'read:user_idp_tokens'],
        console.log("Access token: " + access_token)
        const userWithToken = await fetch("https://dev-********" + user.sub + "?include_fields=true", {
          headers: {
            Authorization: `Bearer ${access_token}`
        const token = userWithToken.identities[0].access_token 
        console.log("Token:" + token)
        const response = await fetch('' + user.nickname + '/repos', {
          headers: {
            Accept: `application/vnd.github+json`,
            Authorization: `token ${token}`,

The problem is that call to https://dev-******** fails. Either with 401 Bad audience error (if I specify as an audience when doing getAccessTokenSilently) or Consent is required (if I specify https://dev-******** as an audience) or plain 400 (if I call getAccessTokenSilently without audience or any params).

How do I make this work?

Hi @altern,

I moved this topic to the #help category (please use this in the future for similar questions.

You cannot get the read:user_idp_tokens scope for a token requested from a client-side app.

You must use a backend service to retrieve the IdP token (github token).

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.