Best practice on handling aud claims?

I’m started using JWT-based authorisation in my applications, as I have various applications that need to talk to each other and don’t want the overhead of OAuth and constantly bouncing users around to authorise apps.

I have the reason and verifying of JWTs working in my apps, expect for handling the aud claim. My intention was, to use the hostname of each service as the aud, which leads me to my question.

If I have a service at and someone tries to authenticate using a JWT with the aud claim set to, what HTTP response should I return? Would this be a 400 Bad Request? 401 Unauthorized? Is there a standard response for, “Your token is fine, but we’re the wrong audience, buddy”?

Hi @martinbean,

Welcome to the Auth0 Community!

IIRC, this is how we handle it:

  statusCode: 401,
  error: 'Unauthorized',
  message: 'Bad audience: https://example-api'

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.