However, audience is a string parameter and cannot take multiple (i tried separating with space but it didn’t work). I assume this is why I’m getting:
OPError: invalid_token (The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens)
Where exactly are you getting this error, your API? The token you shared is RS256 - The /userinfo audience is added by default so need to add any extra audience param.
I got this message from the paid support channel. I’m not sure this is actually correct. My use case is so simple. I’m literally just trying to retrieve user info from one API (punchline/api).
Thank you for contacting Auth0 Support, I’m glad to assist. Unfortunately, it is not possible to obtain a token to be used against multiple APIs as audience values, as you mentioned. The best approach to handle this is to obtain a token per API within your app. You may consider also the approach of using a logical API that represents multiple APIs in your system which is outlined in the following docs: Configure Logical API for Multiple APIs
I don’t think that information is correct either when it comes to the /userinfo audience, see this post.
While I’m still not positive what the issue could be in your particular implementation, I spent some time digging into this today and was successfully able to call fetchUserInfo() - I added some code to our auth0-express-web-app sample to accomplish this. If you are interested in trying my updated sample yourself, you can find it here.
You should just need to clone it, cd into 01-login, npm install, add your own .env file (below), and run npm start: