The audience (presented as the aud claim in the access token) defines the intended consumer of the token.
This is typically the resource server (API, in the dashboard) that a client (Application) would like to access.
It can be added to the request to authorize i.e. audience: 'https://test-api';
Here is an example where an application MY_CLIENT_ID_12345 requested an access token with an audience of https://test-api.
{
"header": {
"alg": "RS256",
"typ": "JWT",
"kid": "123456"
},
"payload": {
"iss": "https://xxxxx.auth0.com/"",
"sub": "auth0|123456789",
"aud": "https://test-api"",
"iat": 1634332895,
"exp": 1634419295,
"azp": "MY_CLIENT_ID_123456",
"scope": "openid email",
"permissions": []
},
"signature": "123456"
}
You will see the audience is in the token as aud.
Although the access token is issued to the client/application (azp), it is not the intended consumer. Rather, the client is the authorized party (presented as the azp claim in the access token) and is not meant to consume the access token.
This video explains what is Audience:
