Auth0 Home Blog Docs

Bad Audience - 401Unauthorized

I have created a separate application and Custom API in the US region tenant. When I am trying the access the management APIs such as [/api/v2/roles], [/api/V2/users] in postman as well as in auth0 management API, am getting the same error statement “bad audience”. For /api/v2/users i even tried using search_engine=v3 in query parameter but in vain resulted in the same error 401 bad audience. How can I use the custom API configured to access and test the management APIs?

From what you describe it sounds like you’re sending an incorrect access token for the Management API call, in particular, one with an incorrect audience which may have been obtained for your custom API instead.

You can check (https://auth0.com/docs/api/management/v2/get-access-tokens-for-test) for a quick way to obtain a management API access token for testing.

I have used the exact access token belonging to the custom api. I have decoded the access token to check whether the permissions for the custom api exists. I came across similar question in auth0 community where it was mentioned to use only the auth0 management api and custom apis are not supported. Not sure whether that’s the case. Would appreciate some help!

refering to this topic: Bad Audience when using a custom API

Also, when i tried to create the new custom api, there was no permissions(scopes) available for me to choose like the default permissions(scopes) in the auth0 management api. Why is the custom API do not show the default scopes available, so i can select from them? I had to manually type each scopes for the custom api. Is there any other possibility of adding default available scopes to the custom api?

An access token meant for an API you created yourself (custom API) is NOT meant to be used to call the Management API.

In addition, a custom API is by definition custom so it can be an API that tackles whatever business model/requirements you would so desire. In other words, it would not be feasible to come up with a set of default scopes, because each custom API will likely model things differently.

1 Like

Thats great! Thank you.