express-jwt: Unauthorized error: expected audience

I’m using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install today. Then when my app tried to make an authorized API request, I received this error:

UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickCallback (internal/process/next_tick.js:98:9)

Nothing whatsoever has changed except the fresh npm install. The JWT audience is exactly what it should be.

About this issue

Most upvoted comments

I was able to fix this by changing audience to aud, like so:

const jwtCheck = jwt({
    secret: ...,
    aud: config.AUTH0_API_AUDIENCE,
    issuer: `https://${config.AUTH0_DOMAIN}/`,
    algorithms: ['RS256']
  });

Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.

I’ve now confirmed that this is required to fix the unauthorized API access error in multiple repos.

Ideally, it should accept both audience and aud, because now there are users using both / either depending on what version of express-jwt they’re using, and whether or not they’ve run into this issue yet.

UPDATE: This is not a fix, it’s a bypass. Please do not do this.

+27
kmaida on Oct 10, 2017

Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:

https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843

+3
nikosolihin on Mar 20, 2019

Was experiencing this. Was my failure of using my id_token rather than my authorizationToken.

+3
alukach on Sep 21, 2018

i always got the error when decoding the ID_TOKEN instead of access_token so i found out that the audience set in the ID_TOKEN is no the same than the one set on the access_token : https://github.com/auth0/auth0.js/issues/473#issuecomment-316982867

+2
idhard on May 26, 2018

Copying straight from the example generated by the quickstart, I got the “jwt audience invalid”. I had to change “audience” to “aud” too to get it working.

±- express@4.16.2 ±- express-jwt@5.3.0 ±- jwks-rsa@1.2.1

+2
RedShift1 on Jan 15, 2018
Read more comments on GitHub
← Auth0.swift: The credentials renewal failed. CAUSE: Unknown or invalid refresh token.
express-openid-connect: After callback, req.oidc.accessToken and req.oidc.user are undefined →