Bad audience: https://custom-domain/api/v2/

muhammad.ali · February 19, 2025, 11:28am

I created a access token with My custome API
{
“client_id”: “KtIK6BuIVodFkblvt3QD5yjsZNaMsLFH”,
“client_secret”: “”,
“audience”: “https://custom-domain/api/v2/”,
“grant_type”: “client_credentials”
}

AnD i got token With that token I call APIs
https://custom-domain/api/v2/organizations/org_WgaeQUZIWxzKGJjy

But it getting

{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Bad audience: https://custom-domain/api/v2/”
}

I already auhorized the API in M2M app KtIK6BuIVodFkblvt3QD5yjsZNaMsLFH.

vlad.murarasu · February 19, 2025, 4:03pm

Hi @muhammad.ali,

Welcome to the Auth0 Community!

The audience should be the identifier of said API, you’ll find it in your APIs settings.

If you have any other questions feel free to let us know.

Have a good one,
Vlad

muhammad.ali · February 19, 2025, 4:35pm

Thanks for the help!

So, I’m using the same identifier as the audience, but I’m running into a “bad audience” error.

My goal is to use custom APIs with limited permissions for our M2M apps, instead of the default Auth0 Management API. I’m using these custom APIs to get tokens (via the M2M app flow) and then using those tokens to access other management APIs. The “bad audience” error happens when I try to use the token to get organization details.

Basically, I want a separate custom API for each M2M app, and each M2M app would be authorized with its own organization using grant client access. This way, the tokens are only valid for that specific organization.

Any ideas why I’m getting the “bad audience” error and how to fix it? I’m starting to wonder if this approach with custom APIs will even work.
Thanks again!

muhammad.ali · February 19, 2025, 4:39pm

I got a response on another ticket saying that custom APIs aren’t designed for this – they’re for authorizing machine-to-machine communication, not for making management API calls. Is that right?

Tganks again

vlad.murarasu · February 19, 2025, 9:05pm

Yes, that is right. The Management API has all of the possible permissions already active for modifying your Auth0 account. That includes managing users and setting up connections. Any other custom API is made for limited access to everything the Management API does, but they don’t call the Management API.

Topic		Replies	Views
Bad Audience when using a custom API JWT.io jwt , api	12	25913	September 3, 2019
Bad audience when calling Management API using Machine-to-Machine App Help management-api , access-token	5	2843	May 25, 2022
Bad Audience - 401Unauthorized Help users , roles	5	7842	July 18, 2019
Calling Management API fails with "Bad Audience" even though audience matches Management API identifier Help	6	4149	April 16, 2021
Receiving 401 for "Bad audience" when attempting to get a user Help management-api , users	4	819	July 6, 2023

Bad audience: https://custom-domain/api/v2/

Related topics