# How to fix : Bearer error="invalid_token", error_description="The issuer 'https://dev-[DOMAIN].auth0.com/' is invalid"

## Before we start

This guide assumes:

* You are using a recent version of [.NET](asp.net) (.NET 6+) and that you are using JWT authentication with [Auth0](https://auth0.com).
    
* You have already followed an Auth0 [guide](https://auth0.com/blog/securing-aspnet-minimal-webapis-with-auth0/#Securing-the-Web-API-with-Auth0) to setup API authentication for [ASP.NET](http://ASP.NET) but cannot fix the error mentioned in the title
    
* You understand how Auth0 works and what domains, bearer tokens, JWTs, authentication, and authorization are. If not, I recommend reading something like [this](https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization).
    

### What does this error mean?

`Bearer error="invalid_token", error_description="The issuer '`[`https://dev-[DOMAIN].[AREA].auth0.com/`](https://dev-[DOMAIN].[AREA].auth0.com/)`' is invalid"`

This error indicates that the JWT authentication module is unable to verify your token because the token's issuer and the `ValidIssuer` you specified in your configuration do not match.

## How to solve the issue

> I ran into this problem while writing a [Minimal Web Api](https://blog.jetbrains.com/dotnet/2023/04/25/introduction-to-asp-net-core-minimal-apis/). This solution should work for traditional controller-based projects as well but YMMV.

### 0\. Verify your token is valid

Take the token you got from API Settings -&gt; Test and paste it into [jwt.io](http://jwt.io).

It will show you if it is valid. If it is, it will also show the domain and audience this token is associated with. Make sure those match with the values for your current API application.

**Note that the issuer field shown on** [**jwt.io**](http://jwt.io) **will include a trailing slash at the end.** This is important for later.

### 1\. Make sure your values in `appsettings.json` are correct.

It should look something like this:

```json
  "Auth0": {
    "Domain": "dev-[yourdomain].[area].auth0.com",
    "Audience": "https://[audience].com"
  }
```

> `Audience` refers to the `Identifier` parameter in the APIs settings page.

**Make sure that the** `Domain` does not start with 'https'.

`Audience` should start with 'https' however.

> I originally had this error because my domain was prefixed with 'https'.

### 2\. Properly configure authentication in your Program.cs

As shown in this [guide](https://auth0.com/blog/securing-aspnet-minimal-webapis-with-auth0/#Securing-the-Web-API-with-Auth0) you need to setup JWT authentication for your API. I will not be covering how to set this up, refer to the guide for more info.

Once you have that set up your `Program.cs` should look something like this:

```csharp
var builder = WebApplication.CreateBuilder(args);

// other stuff...

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, c =>
    {
        c.Authority = $"https://{builder.Configuration["Auth0:Domain"]}";
        c.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidAudience = builder.Configuration["Auth0:Audience"],
            ValidIssuer = $"https://{builder.Configuration["Auth0:Domain"]}",
        };
    });

builder.Services.AddAuthorization();

// adding other services...

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();

// other stuff..

app.Run();
```

It was easier for me to extract the domain value as it was used twice and we need to modify it.

My code looks like this:

```csharp
var domain = $"https://{builder.Configuration["Auth0:Domain"]}/";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, c =>
    {
        c.Authority = domain;
        c.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidAudience = builder.Configuration["Auth0:Audience"],
            ValidIssuer = domain,
        };
    });
```

**This trailing slash is important as it matches the issuer field of the token as we saw earlier**

Your `[Authorized]` endpoints should now accept the valid token.

**If this solution did not work for you**, debug your `Program.cs` and step through setup until you can read the values of `ValidAudience` and `ValidIssuer`. Make sure those two values match those found on [jwt.io](http://jwt.io) exactly!

Also, check out the code of this [sample project](https://github.com/auth0-samples/auth0-aspnetcore-webapi-samples) it helped me finally solve this.

## Acknowledgements

Helpful resources used:

* [https://auth0.com/blog/securing-blazor-webassembly-apps/#Securing-the-API-with-Auth0](https://auth0.com/blog/securing-blazor-webassembly-apps/#Securing-the-API-with-Auth0)
    
* [https://github.com/auth0-blog/secure-blazor-wasm-quiz-manager](https://github.com/auth0-blog/secure-blazor-wasm-quiz-manager)
    
* [https://auth0.com/blog/aspnet-web-api-authorization/#Testing-the-Secure-Web-API](https://auth0.com/blog/aspnet-web-api-authorization/#Testing-the-Secure-Web-API)
    
* [https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization](https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization)
    
* [https://github.com/auth0-blog/minimalwebapi](https://github.com/auth0-blog/minimalwebapi)
    
* [https://auth0.com/blog/securing-aspnet-minimal-webapis-with-auth0/](https://auth0.com/blog/securing-aspnet-minimal-webapis-with-auth0/)
    
* [https://jwt.io/](https://jwt.io/)
    
* [https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/03-troubleshooting](https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/03-troubleshooting)
    

**Hope this helps!!**



Tags:
* .NET
* [ASP.NET](http://ASP.NET) Core
* Minimal Web Api
* Auth0
* JWT authentication
* api authentication
