![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 55.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
3,267 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @hampton123 ,
Thanks for reaching out.
Your understanding is correct here. You are getting 401 unauthorized while calling the API using bearer token which is not authorized to call your API.
You will be able to get the access token while authenticating using SPA application but as you mentioned you did not grant permissions to your SPA application to access the API. Then you can't use your SPA application to call your API.
If you decode your access token using https://jwt.ms you should have scope "Hello" (as per doc you mentioned) to call the API.
The above access token has the audience which shows the client id of backend application and scope "hello" which we expose in our backend API.
This access token is authorized to call the f996-xxx-xx API(backend) with scope "Hello".
If you get the access token without audience and scope, you will not be authorized to call the API and will give error.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.