When trying to delete a user (using an token that works fine for creating users, assigning roles, etc) I get back:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Bad audience: https://dev-9f-tie8v.us.auth0.com/api/v2/"
}
which is funny, because our audience is: https://dev-pb04rcup.us.auth0.com/api/v2…
Nowhere is https://dev-9f-tie8v.us.auth0.com/api/v2/ being set that I can find.
This happens when trying to delete users and remove mfa from users.
Hi @michael24,
Welcome to the Auth0 Community!
You should be able to see what the audience is by inspecting the token. You can do so via JWT.io. When you decode it, what do you see?
{
"iss": "https://dev-pb04rcup.us.auth0.com/",
"sub": "ZdH21lmTXIRvWM9N0THVFA4lkxwGYuUU@clients",
"aud": "https://dev-pb04rcup.us.auth0.com/api/v2/",
"iat": 1668454630,
"exp": 1668541030,
"azp": "ZdH21lmTXIRvWM9N0THVFA4lkxwGYuUU",
"scope": "...",
"gty": "client-credentials"
}
looks correct, and as I said – the other api endpoints work correctly, it’s only the delete ones that are telling us we have the wrong audience.
Can you share a snippet of the code you are using to make the request?
curl --location --request DELETE 'https://dev-pb04rcup.us.auth0.com/api/v2/users/auth0|f996f7c2-4f43-4ae6-ba86-acccacf0b426@payfactory.testinator.com' \
--header 'Authorization: Bearer OMMITED
OMMITED is obviously where the token goes, and again – token works great for creating user, assigning roles, etc, etc.