use jwt connect evevt grid Token containes invalid audience

Question

use jwt connect evevt grid Token containes invalid audience

develop ainfinit 0

use jwt connect event grid failed

log "Token containes invalid audience"

event grid setting

"topicSpacesConfiguration": {
                    "state": "Enabled",
                    "clientAuthentication": {
                        "customJwtAuthentication": {
                            "tokenIssuer": "mqtt-issuer",
                            "issuerCertificates": [
                                {
                                    "certificateUrl": "https://xx.vault.azure.net/certificates/jwt-issuer/x",
                                    "identity": {
                                        "type": "SystemAssigned"
                                    }
                                }
                            ]
                        }
                    },
                    "maximumSessionExpiryInHours": 1,
                    "maximumClientSessionsPerAuthenticationName": 1
                }

develop ainfinit 0

jwt payload

{aud=xx.australiaeast-1.ts.eventgrid.azure.net/], iss=mqtt-issuer, sub=device123456, exp=1766472955, nbf=1766469355}

mqtt client use java paho v5

        String host = "xx.australiaeast-1.ts.eventgrid.azure.net";
        String brokerUrl = "ssl://" + host + ":8883";
        MqttClient client = new MqttClient(brokerUrl, clientId, new MemoryPersistence());
        MqttConnectionOptions options = new MqttConnectionOptions();
        options.setHttpsHostnameVerificationEnabled(true);
        options.setAuthMethod("CUSTOM-JWT");
        options.setAuthData(jwt.getBytes(StandardCharsets.UTF_8));
        options.setAutomaticReconnect(true);
        options.setCleanStart(true);
        client.connect(options);

Pravallika KV 6,185 Reputation points Microsoft External Staff Moderator

2025-12-24T21:23:27.12+00:00
Hi @develop ainfinit ,

Thanks for reaching out to Microsoft Q&A.

The aud claim in your JWT should match the expected format for your Event Grid namespace. For instance, it typically should be in the form of [namespace][region]-1.ts.eventgrid.azure.net. From your payload:

{aud=xx.australiaeast-1.ts.eventgrid.azure.net/]

It seems that you may need to verify that there are no extra characters i.e, the extra slash at the end and that it strictly adheres to the expected format.
Pravallika KV 6,185 Reputation points Microsoft External Staff Moderator

2025-12-29T17:29:00.7+00:00

Hi @develop ainfinit , following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you have any questions.

1 answer

Your answer

develop ainfinit 0 Reputation points

2025-12-23T06:36:38.8766667+00:00

jwt payload

{aud=xx.australiaeast-1.ts.eventgrid.azure.net/], iss=mqtt-issuer, sub=device123456, exp=1766472955, nbf=1766469355}

mqtt client use java paho v5

String host = "xx.australiaeast-1.ts.eventgrid.azure.net"; String brokerUrl = "ssl://" + host + ":8883"; MqttClient client = new MqttClient(brokerUrl, clientId, new MemoryPersistence()); MqttConnectionOptions options = new MqttConnectionOptions(); options.setHttpsHostnameVerificationEnabled(true); options.setAuthMethod("CUSTOM-JWT"); options.setAuthData(jwt.getBytes(StandardCharsets.UTF_8)); options.setAutomaticReconnect(true); options.setCleanStart(true); client.connect(options);
Pravallika KV 6,185 Reputation points Microsoft External Staff Moderator

2025-12-24T21:23:27.12+00:00

Hi @develop ainfinit ,

Thanks for reaching out to Microsoft Q&A.

The aud claim in your JWT should match the expected format for your Event Grid namespace. For instance, it typically should be in the form of [namespace][region]-1.ts.eventgrid.azure.net. From your payload:

{aud=xx.australiaeast-1.ts.eventgrid.azure.net/]

It seems that you may need to verify that there are no extra characters i.e, the extra slash at the end and that it strictly adheres to the expected format.
Pravallika KV 6,185 Reputation points Microsoft External Staff Moderator

2025-12-29T17:29:00.7+00:00

Hi @develop ainfinit , following up to see if you had a chance to check the above response and if it was helpful. Please do let me know if you have any questions.

Answer 1

The error message "Token contains invalid audience" indicates that the aud claim in your JWT token does not match the expected audience for your Azure Event Grid namespace. To resolve this issue, ensure that the aud claim in your JWT is set correctly. It should be in the format of [namespace][region]-1.ts.eventgrid.azure.net/, where [namespace] is your Event Grid namespace and [region] is the Azure region where your namespace is hosted.

Additionally, verify that your Event Grid configuration is set up correctly for custom JWT authentication, including the issuer and the certificate settings. If the aud claim does not match the expected audience, the authentication will fail, resulting in the error you are seeing.

Make sure to check the following:

The aud claim in the JWT matches the expected format.
The issuer (iss) in the JWT matches the tokenIssuer specified in your Event Grid settings.
The JWT is not expired and is correctly signed with the issuer's certificate.

If these settings are correct and you are still facing issues, consider refreshing your JWT token and trying again.

Share via

use jwt connect evevt grid Token containes invalid audience

1 answer

Your answer