Error while confirming MFA SMS enrollment


I am trying to build a feature where our customer can change the phone number enrolled for MFA. Our users connect with password grant type or using MFA (when required). After being logged in, I want them to be able to change their phone number enrolled.

I added the scopes “read:authenticators” and “enroll” in my API configuration on Auth0 and at the user level as well. I add those scopes as well when logging in with my custom audience.

After logging in, I am able to use the access token as mfa token and successfully use the endpoints GET /mfa/authenticators and POST /mfa/associate.

But when I try to confirm this enrollment with POST /oauth/token, I get the following error:
“error”: “invalid_grant”,
“error_description”: “invalid audience”

I don’t get why my audience is working perfectly fine at login time and its working perfectly fine to associate the new authenticator after logged in, but I cannot use it to confirm the enrollment.

I tried to check those links but I still was not able to make it work:
Associate MFA factor from own UI: error on factor activation - Auth0 Community
How to Enroll a User in Both Google Authenticator and SMS with MFA API - Auth0 Community

Thanks a lot for your help

EDIT: It looks like its working ONLY if I use the audience of management API at login time but this is not what I want, because then the scope is not the one I want for my logged in user, I want the audience to be my API.