Passed Audience is automatically overwritten during /authorize

As described here authentication - Why is 'audience' set to 'localhost:<port>' with auth0? - Stack Overflow

To receive an JWT instead of an Opaque Token I pass an Audience during /authorize. However, the Audience that I pass (explicitly) is dumped and replaced by “https://localhost:8787

Where is this coming from? Funny enough, this seems to be concated (https://…) since i dont even run TLS locally.

Also why do I have to set an audience if it is dumped anyways? Just to mention, I dont have a default audience set in my tenant.

Also, the docs state (!) " It’s recommended to use a URI but it’s not actually necessary since this is just a unique identifier."

Why is the audience the expected to be the calling host?

If I create an API with “https://localhost:8787” everything works fine - but this is unexpected behaviour as far as I understand. I went 3 times through all of the docs , but did not find anything about this. Maybe someone can help

Best regards

Hi @admin61,

Welcome to the Auth0 Community!

As you’ve noted, the default setting in Auth0 is to return an opaque token.

An audience of anything else is almost certainly a result of a configuration in your tenant or is being added as part of the request from your application.

If you DM me your tenant name I can take a look at your tenant config.

An access token is intended to be consumed by the audience that it was issued for. I’m not sure what you mean by dumped.

The audience param is intended to be the consumer of the token. This is usually a backend or API in this type of setup, but could be other apps too.

This resource might also be helpful:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.