K
Kinde6d ago
Pranay

jwtVerify from node express needs an audience

I am trying to set up an express server that can verify my token. This is my current code: 
const express = require("express");
const { jwtVerify } = require("@kinde-oss/kinde-node-express");
const jwt = require("jsonwebtoken");
require("dotenv").config();

const app = express();
app.use(express.json());

// Environment variables from your .env file:
const KINDES_SUBDOMAIN = process.env.KINDES_SUBDOMAIN; // e.g., "your_kinde_subdomain"
const SHARED_SECRET = process.env.SHARED_SECRET; // Your HS256 secret for signing tokens
const KINDES_ISSUER = `https://${KINDES_SUBDOMAIN}.kinde.com`;

console.log("Server configuration:", {
  kindeSubdomain: KINDES_SUBDOMAIN,
  kindeIssuer: KINDES_ISSUER,
  sharedSecretExists: !!SHARED_SECRET,
});

// Initialize the Kinde verifier middleware. This caches Kinde's JWKS.
const verifier = jwtVerify(KINDES_ISSUER);

// Token exchange endpoint: verifies the incoming Kinde token then issues a new token.
app.post("/exchange-token", verifier, (req, res) => {
  console.log("Token exchange request received");
const express = require("express");
const { jwtVerify } = require("@kinde-oss/kinde-node-express");
const jwt = require("jsonwebtoken");
require("dotenv").config();

const app = express();
app.use(express.json());

// Environment variables from your .env file:
const KINDES_SUBDOMAIN = process.env.KINDES_SUBDOMAIN; // e.g., "your_kinde_subdomain"
const SHARED_SECRET = process.env.SHARED_SECRET; // Your HS256 secret for signing tokens
const KINDES_ISSUER = `https://${KINDES_SUBDOMAIN}.kinde.com`;

console.log("Server configuration:", {
  kindeSubdomain: KINDES_SUBDOMAIN,
  kindeIssuer: KINDES_ISSUER,
  sharedSecretExists: !!SHARED_SECRET,
});

// Initialize the Kinde verifier middleware. This caches Kinde's JWKS.
const verifier = jwtVerify(KINDES_ISSUER);

// Token exchange endpoint: verifies the incoming Kinde token then issues a new token.
app.post("/exchange-token", verifier, (req, res) => {
  console.log("Token exchange request received");
However I am getting an error as soon as i try to run the node server: 
TypeError: Cannot destructure property 'audience' of 't' as it is undefined.
    at exports.jwtVerify (/Users/pranay/Desktop/Buildspace/irl/website/tova-express/node_modules/@kinde-oss/kinde-node-express/dist/index.cjs:313:129373)
    at Object.<anonymous> (/Users/pranay/Desktop/Buildspace/irl/website/tova-express/server.js:22:18)
    at Module._compile (node:internal/modules/cjs/loader:1460:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1544:10)
    at Module.load (node:internal/modules/cjs/loader:1275:32)
    at Module._load (node:internal/modules/cjs/loader:1091:12)
    at wrapModuleLoad (node:internal/modules/cjs/loader:212:19)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:158:5)
    at node:internal/main/run_main_module:30:49

Node.js v22.3.0
TypeError: Cannot destructure property 'audience' of 't' as it is undefined.
    at exports.jwtVerify (/Users/pranay/Desktop/Buildspace/irl/website/tova-express/node_modules/@kinde-oss/kinde-node-express/dist/index.cjs:313:129373)
    at Object.<anonymous> (/Users/pranay/Desktop/Buildspace/irl/website/tova-express/server.js:22:18)
    at Module._compile (node:internal/modules/cjs/loader:1460:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1544:10)
    at Module.load (node:internal/modules/cjs/loader:1275:32)
    at Module._load (node:internal/modules/cjs/loader:1091:12)
    at wrapModuleLoad (node:internal/modules/cjs/loader:212:19)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:158:5)
    at node:internal/main/run_main_module:30:49

Node.js v22.3.0
Is this a known issue
3 Replies
Ages
Ages6d ago
Hi Pranay, The error you're encountering—"Cannot destructure property 'audience' of 't' as it is undefined"—is typically triggered when the verifier expects an audience claim in the token but doesn't find one. This means that either the token generated by your client doesn’t include the expected aud claim, or the verifier isn’t being provided with the correct options to validate it. In fact, similar issues have been discussed in community forums. For instance, users on Answer Overflow have noted that when the token’s aud claim is missing or empty (even though it appears correctly when generated via the Kinde portal), the jwtVerify middleware fails because it tries to destructure an undefined audience field. They suggest double-checking your API configuration in the Kinde dashboard to ensure the audience is correctly set and that your client requests the token with the proper audience parameter. Additionally, verify that you’re using the latest version of the SDK, as updates may include fixes or better error messages for these scenarios. For more context, you can refer to discussions like this one: https://www.answeroverflow.com/m/1342410814795157575 I hope this helps clarify the issue. If you need further assistance or additional troubleshooting steps, please let me know
Pranay
PranayOP6d ago
Got it. So I am generating the access token from React Native directly using: 
import { useKindeAuth } from "@kinde/expo";

     const loginResult = await kindeAuth.login({
        orgCode: options?.orgCode,
        audience: options?.audience
      });
import { useKindeAuth } from "@kinde/expo";

     const loginResult = await kindeAuth.login({
        orgCode: options?.orgCode,
        audience: options?.audience
      });
But now when I try to login, my client shows an error message like this: 
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '84c4edc8aabd43b28f337a1e9af46688' has not been whitelisted by the OAuth 2.0 Client."}
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '84c4edc8aabd43b28f337a1e9af46688' has not been whitelisted by the OAuth 2.0 Client."}
I can't figure out where on Kinde do I enable the audience paramter?
Ages
Ages3d ago
Hi Pranay, Thanks for the detailed reproduction steps. Based on the error message, it does appear that the audience you’re providing might not be whitelisted for your OAuth 2.0 client. I’m going to discuss this with my team to confirm if whitelisting the audience is required and get back to you with a definitive solution. Hi Pranay, It seem the error occurs because the audience parameter in your login request isn’t whitelisted in your Kinde Dashboard settings. If you're accessing Kinde’s APIs via machine-to-machine (M2M) authentication, you should use {your_domain}.kinde.com/api as the audience. However, if you're using a custom domain for authentication, you'll need to add your custom domain as an API under Settings &gt; API and then whitelist it in your application settings. Please try this update and let us know if you need further assistance

Did you find this page helpful?