express-jwt: Unauthorized error: expected audience

I’m using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install today. Then when my app tried to make an authorized API request, I received this error:

UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickCallback (internal/process/next_tick.js:98:9)

Nothing whatsoever has changed except the fresh npm install. The JWT audience is exactly what it should be.

About this issue

Most upvoted comments

I was able to fix this by changing audience to aud, like so:

const jwtCheck = jwt({
    secret: ...,
    aud: config.AUTH0_API_AUDIENCE,
    issuer: `https://${config.AUTH0_DOMAIN}/`,
    algorithms: ['RS256']
  });

Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.

I’ve now confirmed that this is required to fix the unauthorized API access error in multiple repos.

Ideally, it should accept both audience and aud, because now there are users using both / either depending on what version of express-jwt they’re using, and whether or not they’ve run into this issue yet.

UPDATE: This is not a fix, it’s a bypass. Please do not do this.

Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:

https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843

Was experiencing this. Was my failure of using my id_token rather than my authorizationToken.

i always got the error when decoding the ID_TOKEN instead of access_token so i found out that the audience set in the ID_TOKEN is no the same than the one set on the access_token : https://github.com/auth0/auth0.js/issues/473#issuecomment-316982867

Copying straight from the example generated by the quickstart, I got the “jwt audience invalid”. I had to change “audience” to “aud” too to get it working.

±- express@4.16.2 ±- express-jwt@5.3.0 ±- jwks-rsa@1.2.1