Invalid Audience when using delete management api calls

When trying to delete a user (using an token that works fine for creating users, assigning roles, etc) I get back:

    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Bad audience:"

which is funny, because our audience is:

Nowhere is being set that I can find.

This happens when trying to delete users and remove mfa from users.

1 Like

Hi @michael24,

Welcome to the Auth0 Community!

You should be able to see what the audience is by inspecting the token. You can do so via When you decode it, what do you see?

  "iss": "",
  "sub": "ZdH21lmTXIRvWM9N0THVFA4lkxwGYuUU@clients",
  "aud": "",
  "iat": 1668454630,
  "exp": 1668541030,
  "azp": "ZdH21lmTXIRvWM9N0THVFA4lkxwGYuUU",
  "scope": "...",
  "gty": "client-credentials"

looks correct, and as I said – the other api endpoints work correctly, it’s only the delete ones that are telling us we have the wrong audience.

Can you share a snippet of the code you are using to make the request?

curl --location --request DELETE '|' \
--header 'Authorization: Bearer OMMITED

OMMITED is obviously where the token goes, and again – token works great for creating user, assigning roles, etc, etc.