Bad Audience when using a custom API

JWT.io
,
1

I’m using a custom API for user management. I can get an JWT for that API easily, but when I try to use it, I get the reply:
"message": "Bad audience: <api audience/identifier>"
The endpoint I’m posting the data to is my usual endpoint (https://some-name.eu.auth0.com/api/v2/), my identifier/audience is: https://my.some-name.be/user-mgmt. The scopes of the api are set right (and that doesn’t seem to be the problem).

Why do I get:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Bad audience: https://my.some-name.be/user-mgmt"
}

?

2

Hi Kurt,

In case of calling Auth0 management API v2, you should use
https://{tentant}.auth0.com/api/v2/ audience. A custom audience is not accepted for Auth0 management API v2.

Regards,
Amin

2 Likes
3

i have the same issue, tried to remove the audience from my token request but got error:

{
“error”: “access_denied”,
“error_description”: “Non-global clients are not allowed access to APIv1”
}

This is how my request looks like:

curl -X POST
https://intoglobal.eu.auth0.com/oauth/token
-H ‘cache-control: no-cache’
-H ‘content-type: application/json’
-H ‘postman-token: e02ffd35-4fdd-5ad9-d821-12b8496caa98’
-d ‘{“client_id”:“7xVERL0bjhY8uWgH62ECfXVXeLW4fzyi”,“client_secret”:“2XtyYZm6zAI3klTMyotFoNOl5IZi6GUI5n3P1UVko27uCvXjxaVBaOf9YnxWgcau”,“grant_type”:“client_credentials”}’

I was able to get a token if I have audience set, but then that token is not useful when I want to access this endpoint: https://intoglobal.eu.auth0.com/api/v2/users.

Please help.

4

Hi lyubomir,

First of all, visit your client page and rotate your secret :slight_smile:

Second, your request is mostly valid, just missing audience:

{
  "client_id":"7xVERL0bjh*****XeLW4fzyi",
  "client_secret":"XXXX",
  "grant_type":"client_credentials", 
  "audience":"https://[tenant].eu.auth0.com/api/v2/"
}

Make sure client is allowed to include v2 API audience by visiting APIs > Auth0 Management API > Non Interactive Clients and Authorize your client (7xVERL0bjhY********VXeLW4fzyi) with selected scopes. Do this only after rotating your secret.

Regards,
Amin

1 Like
5

I have the same problem. I tried your solution, but I’m still getting “bad audience” when calling https://auth0-eu.xxx.com/api/v2/users/auth0|xxxxx to delete a user.

I’m trying to spot the error, but I’m having some troubles here.

6

I have same problem, when i hitting https://glplus.auth0.com/api/v2/tickets/password-change for reset new password, i am getting
{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Bad audience: https://glp.auth0.com/api/v2/
}
Also why in password-change api expect auth-token, as user not logged in while reset new password

7

Hi Pratibha,

Apparently you have two tenants. glplus and glp, and you are using access_token from glp to invoke management API in glplus.

Regards,
Amin

8

Hi Amin,

how to reset password for a user who forgot his password, for that access token is not available.
I have implemented password link email sent for forgot password, but i am unable to find any way to reset password without access token.

9

hi Pratibha, please open a new question for it & I’ll reply there.

10

Hi Amin,

I have already open new question . can you please reply on same.

11

This is not what the docs are saying
" If you get an Access Token for the Management API using an authorization flow with your custom domain, you must call the Management API using the custom domain (your token will be considered invalid otherwise)."

also there is no way to change the management API audience , for example after you created a custom domain.
please provide a solution - cause i cannot have the real domain in my server configuration.

thanks
Shlomi

1 Like
12

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?