We’re setting up a new application that has a back-end as API and a front-end (Web and native app). We what that after a successful login, the user id and access token are sent to the back-end, so this validates with auth0. For web, we tested the Univeral login and it worked fine, but we couldn’t validate the user’s info with auth0 with API, every way it return access error or “Bad audience”, I assume is because API has no access to the users logged by Universal login, because API creates it’s own testing app, I tried to add the Web application to the API M2M application, but it’s not available, are we missing something? Is there a way to validate that the user is really authenticated (back-end can’t blind trust on the front-end).
Auth0 team, the topic of “Bad Audience” needs a review. There are several topics with the same issue for months and all of them have been closed without a satisfactory response (Search results for 'bad audience' - Auth0 Community).
For everyone having this issue:
The “Auth0 Management API System API” auto-created API works following the documentation, and new Customs APIs don’t work even doing exactly the same steps. From what I found and some other has responded, the issue is with the identifier, the auto-created API has the https://TENANT_DOMAIN/api, and for some reason that matches the audience, but creating a new one, it’s not possible to use the TENANT_DOMAIN as part the of the new API identifier, it said is reserved for Auth0, and using anything else will lead to Bad audience error, even when the access token can be obtained correctly, it looks like something is missing on the documentation to explain better the case of use of the Customs APIs it seems like those can’t be used only from the SDK, but I my case even with from the SDK got the Unauthorized error.