Bad Issuer on Custom Domain when using Token to Instantiate ManagementClient

Problem statement

This article explains a potential cause for the error Bad Issuer while using the node-auth0 SDK and a custom domain value.


Bad Issuer error when trying to use tokens


When using a token to instantiate the ManagementClient, the domain that was used to generate the token must match the domain that is configured in the ManagementClient’s settings.


The node-auth0 library expects the token’s Issuer to match the provided domain, and the issuer claim within the token will match the tenant’s domain that was used in the authentication/client credential exchange to obtain the token originally.
Please note that the audience will not change between tokens issued from custom or canonical/default tenant domains, as this is purely an identifier.

e.g. When using a Management API access token that was issued via a custom domain, the ManagementClient instantiation would look like:

new ManagementClient({
audience: """,

Please see the below doc link for some more information on how custom domains affect API usage: