Auth0 Home Blog Docs

Password grant for API via Android Lock



I’m having some trouble with the authentication flow I require for my Android application.

I have an API configured in Auth0 for my backend. I also have an app configured for my Android application, with the Password Grant type enabled.

I can successfully make requests to the back-end using the Insomnia API testing client, logging in with username and password.

What I want:

  1. To log in using a username/password (Database) connection via Lock for Android
  2. Receive an access token in JWT format
  3. Use this access token to authenticate against my API

When I log in using Lock for Android using the recommended audience (https://<my_domain>, I get an opaque, non-JWT access token back, regardless of what I specify as my requested scope. The ID token also has the Android application’s Auth0 client ID specified as the audience. I get a 401 when attempting to use this for authentication against my back end.

When I attempt to log in using my api’s audience string instead (based on my experience with Insomnia), I get the following error via an AuthenticationException thrown from Lock:
“error” -> “invalid_request”
“error_description” -> “invalid audience specified for password grant exchange”

I cannot find anywhere in the management dashboard to allow password grant for my API specifically.

How can I achieve goals 1-3 above?


Setting the audience to https://<my_domain>/api/v2/ returns me a JWT access token, but the decoded JWT has audience entries of
“aud”: [

Attempting to access my API with this token still returns a 401


Found the problem: I had a trailing “/” on the end of my API audience string


Perfect! Glad you were able to spot it!