Error calling my external API

I want to use the token that I get from the getAccessToken function in my Nextjs API endpoint to call my external API that I already created in the Auth0 dashboard but I’m getting this error:

# This is my NextJS API endpoint /api/books
export default withApiAuthRequired(async function getBooks(req:any, res:any) {
  const { accessToken } = await getAccessToken(req, res); # <---- I see this is not a JWT token but opaque token
  const response = await booksApi('/books?title=Calcu', { headers: { "Authorization": `Bearer ${accessToken}` } })
  res.status(200).json({ accessToken, response })

I created the books-service in the API section on the Auth0 Dashboard and added ‘read:books’ to the permissions list(scopes) but I don’t know where I should specify that permission in the code.

Hi @solvy-dev,

Welcome to the Auth0 Community!

It sounds like you are missing the audience parameter. See this FAQ:

Ok I could get the JWT access token sending the audience and I checked the token on the website and I can see the payload

export default handleAuth({
  login: async (req, res) => {
    await handleLogin(req, res, {
      returnTo: "/dashboard",
      authorizationParams: {
        audience: 'MY_EXTERNAL_API_IDENTIFIER',

But when I send that token to my external API I get the next response with statusCode

    "message": null

What type of configuration should I implement in my external API? Do I have to verify something else beside the JWT signature or set some fields?

From there it is up to you what you want to do with your API. I can point you towards an example if you tell me about your external API (what language, framework, etc).

That’d be awesome. To provide some context I’m using Serverless Framework but any NodeJS example I think is helpful. This is the code from my AWS Lambda authorizer which is an endpoint that is hit every time I send a request to other endpoints like /api/v1/products in order to get permission to work as expected.

    const token = event.authorizationToken.replace('Bearer ', '');
    const claims = jwt.verify(token, EnvironmentConfig.auth0PublickKey) as JwtPayload; 
    const principalId = claims.sub as string
    const policy = generatePolicy(principalId, event.methodArn);
    return {
      context: claims 

When I verify the token I use the PEM certificate downloaded from my regular web app on the Auth0 dashboard. That’s all the code that I’m using on my backend to handle the token. Am I missing something?

Have you seen this blog? It sounds like it runs over most of your setup:

Ok I found the solution, the problem is in the Context returned by the authorizer AWS Lambda function. The type of that context is:

export interface APIGatewayAuthorizerResultContext {
    [name: string]: string | number | boolean | null | undefined;

And the JWT access token payload returned by Auth0 has the property aud which contains an array and that breaks something in AWS and that’s why the response is { "message": null } with status code 500.

Thanks @dan.woda for your help! Now my external API is working as expected :smiley:

1 Like

Thanks for sharing! :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.