Unauthorized, Bad audience for management api


My login method is following:

import auth0 from ‘auth0-js’;

const webAuth = new auth0.Authentication({
domain: ‘tenant-name.eu.auth0.com’,
clientID: ‘xxx’,
responseType: ‘token id_token’,
redirectUri: ‘http://localhost:3000/callback’,
audience: ‘http://localhost:3000

await webAuth.login({
username: this.formEmail,
password: this.formPassword,
realm: ‘Username-Password-Authentication’,
scope: ‘openid profile email app_metadata user_metadata update:users update:users_app_metadata’

I get a proper access_token.
I get: {“statusCode”:401,“error”:“Unauthorized”,“message”:“Bad audience: http://localhost:3000 https://tenant-name.eu.auth0.com/userinfo”}
when I call the management API with following.

const webAuth = new auth0.Management({
domain: ‘tenant-name.eu.auth0.com’,
token: localStorage.getItem(‘access_token’)

await webAuth.patchUserMetadata(userId, {
“name”: this.formName,
“nickname”: this.formNickname
}, (error, result) => {

There are no options to set audience on the Management API.

I see in your code you have set the audience in your authorization request to audience: ‘http://localhost:3000’. The audience parameter needs to be set to the target API, in this case of calling Auth0 management API you should use audience: 'https://your-auth0-domain/api/v2/˜' .

Please let me know if that helps.

1 Like

I have already tried to set my authentication audience to that.
But then I can’t login, I get.

{"error":"invalid_request","error_description":"invalid audience specified for password grant exchange"}
1 Like

Same issue: would like my user to be able to update their preferences using the same token they use to access my api. Seems if they log on to my api, they can’t access the management api.

How would single sign-on to multiple APIs work?


@dearwicker If we want to achieve this for multiple APIs I believe the recommended approach would be to create a single API to represent all the individual API’s, and then control access to the individual APIs by assigning the appropriate scopes: https://auth0.com/docs/api-auth/tutorials/represent-multiple-apis

@zyxep were you able to solve your issue?

Same issue here. Not sure why most things with Auth0 have to be so convoluted and complicated. I also wasn’t sure if this scope was needed when calling auth0.WebAuth: update:current_user_metadata.

Like most things in the documentation, its just randomly mentioned on this page, but never fully explained: https://auth0.com/docs/libraries/auth0js/v9 Although it sounds self-explanatory, is it required? Can I update the user_metadata without providing that scope to auth0.WebAuth? This is what I’m talking about when I say everything is convoluted.

1 Like

@kimcodes I did not understand the steps to follow.

  1. I have an SPA that has audience set to a dotnet application (backend). I understand that I will now get 401 with the management API because the token is not valid for this.
  2. I went ahead and created a new API application in the Dashboard and created couple scopes.
  3. Then assigned each one of these scopes to each of the api’s (app’s api and management api).
  4. I then updated the SPA to use the audience of the newly create API application.

I still get 401.

hey @tej were you able to solve your issue?

For me the issue was a bad url in the auth0 doc example…
just needed to change https://login.auth0.com/api/v2/users to https://{accountNamespace}/api/v2

Thanks a lot @dekel for sharing that with the rest of community!