There’s two services you’re trying to leverage from Auth0, user authentication and API authorization. In addition, you’re leveraging those by following the OAuth2 and OpenID Connect (OIDC) related standards. This means that the outcome of the user authentication (which follows OIDC) is an ID Token that contains information about the user that authenticated into your client application. The user authentication step may also generate an access token even if you don’t specify your own audience, however, this access token is meant to call the OIDC specified
An ID Token is always a JWT and the audience will always be the client application; this is because ID Tokens are meant to only be used by the client application as means to know information about the user identity that authenticated.
In addition to that you’re also performing an API authorization request (by means of including the
audience parameter). The outcome of an API authorization request (which follows OAuth2) is an access token that can then be used by the client application to authorize the requests that it performs against the specified audience.
The above explains why sending an ID Token token to your API fails; you’re treating the API as an independent system with it’s own identifier and the correct way for a scenario like this requires you to send an access token obtained in specific for use against that API.
In conclusion, you would need to send the access token instead of the ID Token, however, React Native Lock was designed to provide the user authentication part of it and to my knowledge the API authorization aspect is not supported/documented (at least I could not find any documentation on it, so your mileage may vary). I know we are actively updating the documentation and quickstart guidance to cover API authorization scenarios, but at this time is not yet available. The general guidance for calling independent API’s from mobile application suggests the use of PKCE in case you want to start some research on the subject.