Last Updated: Jun 26, 2024
Overview
The audience (presented as the aud
claim in the access token) defines the intended consumer of the token. This is typically the resource server (API, in the dashboard) that a client (Application) would like to access.
It can be added to the request to authorize i.e. audience: 'https://test-api';
Here is an example where an application MY_CLIENT_ID_12345
requested an access token with an audience of https://test-api
.
{
"header": {
"alg": "RS256",
"typ": "JWT",
"kid": "123456"
},
"payload": {
"iss": "https://xxxxx.auth0.com/"",
"sub": "auth0|123456789",
"aud": "https://test-api"",
"iat": 1634332895,
"exp": 1634419295,
"azp": "MY_CLIENT_ID_123456",
"scope": "openid email",
"permissions": []
},
"signature": "123456"
}
The audience is in the token as aud
.
Although the access token is issued to the client/application (azp
), it is not the intended consumer. Rather, the client is the authorized party (presented as the azp
claim in the access token) and is not meant to consume the access token.
Applies To
- Audience
- Frequently asked questions about Audience
Solution
Check out the video below.
What should I use as my API Identifier?
The identifier should be an absolute URI, but this doesn’t have to be a publicly available URI; Auth0 will not call the API at all.
Is it optional?
Yes, it is possible to make a request to authorize without including an audience parameter. In this case, the audience parameter will default to the userinfo endpoint for the tenant, and an opaque token will be issued that can be exchanged for user information.
Additionally, a custom default audience can be configured. Setting the Default Audience is equivalent to appending this audience to every authorization request made to the tenant for every application. This will cause new behavior that might result in breaking changes for some of the applications.