Hi,
There will be a different audience for each deployment environment.
I’m using the password flow to make and test the tokens.
The dotnet core API is going to be done around OAuth like in these samples: GitHub - auth0-samples/auth0-aspnetcore-webapi-samples: Auth0 Integration Samples for ASP.NET Core WebAPI Services, so it’s gonna use JWT tokens created by an app.
And I was trying to push the user roles into the tokens. It works with a rule like this that I’ve taken from other examples like this one: Get the user role on Login.
function (user, context, callback) {
var roles = user.roles || (context.authorization && context.authorization.roles);
if (roles && roles.length)
{
var ns = 'https://localhost:8443/api/';
context.accessToken[ns + 'roles'] = roles;
context.idToken[ns + 'roles'] = roles;
}
return callback(null, user, context);
}
This is what I get as claims in the API, from the token, which is great:
[
{
"type": "https://localhost:8443/api/roles",
"value": "Demo"
},
{
"type": "https://localhost:8443/api/roles",
"value": "User"
},
...
But that means I had to hard code a namespace that is my audience and that’s not going to work with my deployment environments.
It doesn’t work without a namespace – so ‘context.accessToken.roles’ doesn’t end up in the claims, and that namespace cannot be my domain – for some obscure reason. 
To avoid hard coding my audience, I was looking into getting it from somewhere inside the rule, but I did not manage.
Also I might be doing this the wrong way, from the design pov.
Any help would be appreciated,
Thanks