Auth0 Home Blog Docs

HTTP 401 /userinfo



I am not sure, but I can’t get AUTH0 to work stably. Always, I get some strange errors and it takes hours to troubleshoot. Today, I suddenly started to get the following issue.

www-authenticate:Bearer realm=“Users”, error=“invalid_token”, error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

I have changed tp HS256 and back, no result.


I’m afraid with the information you provided I can’t provide you with more specific guidance than what’s included in the error message.

You should refer to this previous answer to a related question or include more information, in particular, sufficient information about the access token that leads to the error. Based on the error, the access token seems to be a JWT so you can include the header and payload part of the token in your question (you can mask some of the info that is account specific). The interesting part to know would be which audiences the access token contains and the signature method.