Can you explain the purpose of custom APIs in the application?

I’m using Auth0 SSO flow for user authentication which is working perfectly fine. After the login call-back, when I try to fetch additional user details using the Management API, I get a 401 unauthorized Bad Audience error as a response.

However, it works fine if I use the system Auth0 Management API as the audience while creating the token. I also tried with the token generated using the custom API as the audience in the API explorer and it has the same error.

The test tab in the Auth0 dashboard API detail page provides some code to generate tokens and access the APIs. Since I am not able to access the management APIs please let me know if I am doing something wrong. What other APIs can be accessed with this token if not management APIs?

Adding the code I tried below:

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://{tenant}.auth0.com/oauth/token",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\":\"{client_id}\",\"client_secret\":\"{client_secret}\",\"audience\":\"{my_new_custom_domain}\",\"grant_type\":\"client_credentials\"}",
  CURLOPT_HTTPHEADER => array(
    "content-type: application/json"
  ),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

This code successfully returns the token which I can validate using jwt.io

I tried with https://{tenant}.auth0.com/api/v2/users/{user_id} for the path_to_your_api.
However, when I use this token for the management API, I am getting a 401 error response.
{"statusCode":401,"error":"Unauthorized","message":"Bad audience: <my_new_custom_domain>"}

Hi @sachin1,

Welcome to the Auth0 Community!

I understand that you have questions about using custom APIs.

Firstly, the 401 Unauthorized error you encountered when using the Management API happens when you request an access token that does not specify the Management API as the audience.

The Management API for each tenant will have the following format: https://DOMAIN.REGION.auth0.com/api/v2/

And as you have observed, generating an access token using a custom API results in an unauthorized error.

Therefore, we recommend using the Management API identifier as your audience if you intend to make Management API calls.

Please see our documentation below to learn more.

If you have any additional questions, please feel free to reach out.

Thank you.

@rueben.tiow Thanks for the quick reply. Yes, I arrived at the same conclusion.

So can you please confirm if there are any uses to the token(generated using the custom API as audience)? Also, it’d be great if you could point me to documentation about the use cases of the custom API, like why and where should we be using them if not for management APIs.