Auth0 Home Blog Docs

Bad Audience when using a custom API

jwt
api

#1

I’m using a custom API for user management. I can get an JWT for that API easily, but when I try to use it, I get the reply:
"message": "Bad audience: <api audience/identifier>"
The endpoint I’m posting the data to is my usual endpoint (https://some-name.eu.auth0.com/api/v2/), my identifier/audience is: https://my.some-name.be/user-mgmt. The scopes of the api are set right (and that doesn’t seem to be the problem).

Why do I get:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Bad audience: https://my.some-name.be/user-mgmt"
}

?


#2

Hi Kurt,

In case of calling Auth0 management API v2, you should use
https://{tentant}.auth0.com/api/v2/ audience. A custom audience is not accepted for Auth0 management API v2.

Regards,
Amin


#3

i have the same issue, tried to remove the audience from my token request but got error:

{
“error”: “access_denied”,
“error_description”: “Non-global clients are not allowed access to APIv1”
}

This is how my request looks like:

curl -X POST
https://intoglobal.eu.auth0.com/oauth/token
-H ‘cache-control: no-cache’
-H ‘content-type: application/json’
-H ‘postman-token: e02ffd35-4fdd-5ad9-d821-12b8496caa98’
-d ‘{“client_id”:“7xVERL0bjhY8uWgH62ECfXVXeLW4fzyi”,“client_secret”:“2XtyYZm6zAI3klTMyotFoNOl5IZi6GUI5n3P1UVko27uCvXjxaVBaOf9YnxWgcau”,“grant_type”:“client_credentials”}’

I was able to get a token if I have audience set, but then that token is not useful when I want to access this endpoint: https://intoglobal.eu.auth0.com/api/v2/users.

Please help.


#4

Hi lyubomir,

First of all, visit your client page and rotate your secret :slight_smile:

Second, your request is mostly valid, just missing audience:

{
  "client_id":"7xVERL0bjh*****XeLW4fzyi",
  "client_secret":"XXXX",
  "grant_type":"client_credentials", 
  "audience":"https://[tenant].eu.auth0.com/api/v2/"
}

Make sure client is allowed to include v2 API audience by visiting APIs > Auth0 Management API > Non Interactive Clients and Authorize your client (7xVERL0bjhY********VXeLW4fzyi) with selected scopes. Do this only after rotating your secret.

Regards,
Amin


#5

I have the same problem. I tried your solution, but I’m still getting “bad audience” when calling https://auth0-eu.xxx.com/api/v2/users/auth0|xxxxx to delete a user.

I’m trying to spot the error, but I’m having some troubles here.


#6

I have same problem, when i hitting https://glplus.auth0.com/api/v2/tickets/password-change for reset new password, i am getting
{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Bad audience: https://glp.auth0.com/api/v2/
}
Also why in password-change api expect auth-token, as user not logged in while reset new password


#7

Hi Pratibha,

Apparently you have two tenants. glplus and glp, and you are using access_token from glp to invoke management API in glplus.

Regards,
Amin


#8

Hi Amin,

how to reset password for a user who forgot his password, for that access token is not available.
I have implemented password link email sent for forgot password, but i am unable to find any way to reset password without access token.


#9

hi Pratibha, please open a new question for it & I’ll reply there.


#10

Hi Amin,

I have already open new question . can you please reply on same.