The quickstart you linked to uses Auth0.js (v8) and
auth0-cordova libraries. The current quickstart code then calls
auth0-cordova (which has built-in support for doing PKCE) and does not call the
authorize method of Auth0.js (v8). In practice the Auth0.js (v8) library is only used to perform the call to the
/userinfo endpoint after the authentication and authorization transaction has completed and the client application already has the tokens (which were obtained through PKCE due to the usage of
You mention that you get a 401, but only when adding an audience parameter. This suggests that the source of the 401 is the code is trying to perform a
/userinfo call with an unsuitable access token. More specifically, given it stops working when adding the audience then the API associated with the audience identifier being added is probably using
HS256 as the signing algorithm.
When doing both an authentication (according to OpenID Connect) and an authorization request (aka you also include an
audience parameter for the authorize endpoint) in a single go the issued access token can have multiple audiences/purposes depending on configuration. If the requested audience uses
RS256 the access token will be issued with multiple audiences, one that allows to call the
/userinfo endpoint and the other targeting your own API. If the API uses
HS256 then the
/userinfo endpoint cannot be called because the access token will only include your own API as an audience.
In conclusion, if you want to call
/userinfo and your own API and perform a single request then the API needs to use
RS256 so that the issued access token is multi-purpose.