Retrieve token for Core API and scope/audience understanding

Keith Viking 20 Reputation points


I have created an App Registration on Azure, following this i created a Client Secret, App Role and Scope setting permission under API Authorisation.

The purpose here is to have a WebApi core using .Net 6 so i can exchange data securely.

In order to get the token I send a request to


grant_type : client_credentials
client_id : myAppClientId
client_secret : myClientValue
scope :

This works and i retrieve a JSON token which i can decode at

I now have the below code in .Net 6 WebCore API

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

// Learn more about configuring Swagger/OpenAPI at


var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())





  "AzureAd": {
    "Instance": "",
    "ClientId": "myAppClientId",
    "ClientSecret": "ClientValue",
    "Domain": "myTenantId",
    "TenantId": "myTenantId",
    "Audience": ""

My Controller is decorated with [Authorize] at the top, if i call https://localhost/weatherforecast i need to make a new request passing in the Token from above and retrieve the data with bearer.

  1. What would be the correct process to retrieve a token from my WebAPI? Do i create a new controller with full access and a new method to call the same service in this method (sending a request to and passing in the values supplied? If so what values should i be providing end consumers for using this service as some would be sensitive to our Azure account?
  2. I dont fully understand the difference between scope and audience (you will notice in my code the JSON uses Audience but when i sent the request to get the token i passed in Scope?
A set of technologies in the .NET Framework for building web applications and XML web services.
4,291 questions
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,496 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,130 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce ( 59,131 Reputation points

    the audience is which services the token is valid for. in your case this identities the token is valid for your webapi.

    the scope is the app permission granted to the token. for example the graph api has scopes like "User.Read" and "Mail.Send". you can define custom scopes for you app. in your case you have the default scope defined for your web app api.

    you can define multiple scopes, and define which scope are available to each user (clientid as you are using secrets rather than users)

    as you registered azure ad as the authentication service. the caller would use any oauth client sdk and needs the app settings.

    you would probably create a unique clientid and secret for each caller.