getQuote() {
	    let token = auth.getAuthHeader();
		console.log(token)
        this.$http.get('http://localhost:3001/api/protected/random-quote', { headers: {
		Authorization: token
		  .then((data) => {
            this.quote = data;
          .catch((err) => console.log(err))
If I remove the authorization header the server logs the following in the console:
UnauthorizedError: No Authorization header was found
I'm certain I'm passing in the Authorization header in the "Bearer {jwt}" format correctly. What else am I missing?
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImsiLCJpZCI6MiwiaWF0IjoxNDkzOTQyMjQ5LCJleHAiOjE0OTM5NjAyNDl9.RVrM7JL7D0ClQ-zOJijdJxZnUQHXVZKFO8wBvN469C8
xhr.js?14ed:177 GET http://localhost:3001/api/protected/random-quote 401 (Unauthorized)
dispatchXhrRequest @ xhr.js?14ed:177
xhrAdapter @ xhr.js?14ed:12
dispatchRequest @ dispatchRequest.js?91bc:52
xhr.js?14ed:177 XHR finished loading: GET "http://localhost:3001/api/protected/random-quote".
dispatchXhrRequest @ xhr.js?14ed:177
xhrAdapter @ xhr.js?14ed:12
dispatchRequest @ dispatchRequest.js?91bc:52
SecretQuote.vue?325d:31 Error: Request failed with status code 401
    at createError (eval at <anonymous> (app.js:782), <anonymous>:15:15)
    at settle (eval at <anonymous> (app.js:890), <anonymous>:18:12)
    at XMLHttpRequest.handleLoad (eval at <anonymous> (app.js:761), <anonymous>:77:7)
          
Even, I am facing the same issue. :(
When I try to get protected quotes, it gives the error

UnauthorizedError: jwt audience invalid. expected: undefined
Can anyone please help on this?
          
@Mazzzy and @9swampy. This repo returns two tokens, an id_token and an access_token. The access_token should be the token sent as an Authorization Header.
Also, did you specify the audience in the backend when you cloned this repo?
  vkukh, doodlemoonch, adamkhazi, Sam-Hoult, astudd, kidman90, jayzhou3, redixhumayun, hariharansrc, and MartinMorlio reacted with thumbs up emoji
  jayzhou3 reacted with laugh emoji
  jayzhou3 reacted with hooray emoji
  jayzhou3 reacted with heart emoji
  jayzhou3 reacted with rocket emoji
  jayzhou3, ashfaqnisar, and PrashantSedhain reacted with eyes emoji
    All reactions
          
Any value of your choice can be your audience in the config.json. Example:
So, when the access_token is been signed, it takes it into consideration before signing.
function createAccessToken() {
  return jwt.sign({
    iss: config.issuer,
    aud: config.audience,
    exp: Math.floor(Date.now() / 1000) + (60 * 60),
    scope: 'full_access',
    sub: "lalaland|gonto",
    jti: genJti(), // unique identifier for the token
    alg: 'HS256'
  }, config.secret);
It then goes ahead to validate the access_token before given access to the protected random route.
// Validate access_token
var jwtCheck = jwt({
  secret: config.secret,
  audience: config.audience,
  issuer: config.issuer
});
  bentedder, kanejoe, saqbach, gooseandmegander, wwxiang317, benkitzelman, garyburgmann, sinacodes, padmon, onuriltan, and 21 more reacted with thumbs up emoji
  bentedder, alexandre-melard, FergusZhou, flaviolivolsi, saqbach, emustafin, garyburgmann, sinacodes, lotas, rotimi-best, and 5 more reacted with hooray emoji
  hiroyukinuri, davkorss, EnzoPG, geneoes, menaaziz27, kelvinmaues, doanestudio, and tonxxd reacted with heart emoji
    All reactions
          
i think the audience is not checked correctly if it is set. ... if i set audience not at all then i also dont need to set aud so it's not aud that does the "fix".. it just works when audience is not set. ( "express": "^4.16.2", "express-jwt": "^5.3.0", "jwks-rsa": "^1.2.1")
jwtCheck = jwt({
 secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: "https://xx.eu.auth0.com/.well-known/jwks.json"
  //audience: 'xx-xx-api',
  issuer: "https://xx.eu.auth0.com/",
  algorithms: ['RS256']
Internally seems to be used the client id.. because if you set audience to your client id then its the only way audience is not making that error.
  benjaminsteward, ppulwey, kinokoruumu, davidpaley, and truetechcode reacted with thumbs up emoji
  grimunit, ArthurianX, kinokoruumu, and davidpaley reacted with hooray emoji
    All reactions
          
I'm struggling with the same issue for the past few hours.
I added as an actual audience in my express api the clientID, because the application token always get signed with the actual client Id.
Like this I'm imagining we can accept only 'calls' from our desired application, if we'd have many we'd get an error.
I guess it's good for something.
          
Only worked for me with aud instead of audience and removing issuer  ʕ⁠ノ⁠•ᴥ•ʔ⁠ノ ︵ ┻━┻

([email protected])
export default jwt({
  secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
  // documented as audience but only works as "aud"
  aud: process.env.AUTH0_AUDIENCE,
  // documented as required but only works without
  // issuer: `https://${process.env.AUTH0_DOMAIN}`,
  algorithms: ["RS256"]
  wwxiang317, EhrenDavis12, sceendy, xdadda, Zyian, agustin-pt, sa-webb, jtich, chinchaun, jimeBB, and 12 more reacted with thumbs up emoji
  Shaheryar123 and ragokan reacted with rocket emoji
    All reactions
          
Apparently you are not supposed to bypass audience by using aud in an SPA <> API authorization flow.

I found an amazing summary of how its supposed to be done in that comment. It works flawlessly on my end (Angular2 + Nodejs API).