<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Access Token Issued to Front-End application is Being Rejected by Resource Server
Apr 2, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article explains why an Access Token that was successfully requested and issued to a front-end application may be rejected by a resource server/back-end application.

Applies To
  • OAuth 2.0 integration
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
Cause

When sending an Access Token as authorization to a resource server, the resource server will reject the token if token validation fails. During local token validation, the resource server will verify that the token was issued by the expected authorization server (issuer), that it was not issued in the future nor has it expired, and that its signature is valid.

If, for example, the Access Token was issued by the Org Authorization Server (where both the audience and issuer of the token is https://oktaDomain), but the back-end that is receiving this token expects it to have been issued by https://oktaDomain/oauth2/default, with an audience of api://defaultThe back-end will reject the token because token validation will have failed due to this mismatch.

More details about token validation are discussed in our documentation: Validate Access Tokens | Okta Developer

Solution

To ensure that the resource server is properly configured to validate access tokens issued to the front-end application, ensure the following:

  • The Issuer for the front end application requesting tokens is the same as the Issuer for the resource server validating these tokens.
  • The device used by the user to request tokens and the server that validates tokens do not have their machine time manually set and instead use NTP (Network Time Protocol).
  • The resource server can reach the authorization server's JWKS endpoint or has otherwise been provided the public keys available at that endpoint so it can validate the signature.

Example

If using our Angular SDK with our ASP.NET Core WebAPI, the below configurations for each will ensure that they both are using the Default Authorization Server:

Angular

const authConfig = {
  issuer: 'https://{oktaDomain}/oauth2/default',
  clientId: '{clientId}',
  redirectUri: window.location.origin + '/login/callback'
}

ASP.NET Core WebAPI

{
  "Okta": {
    "Issuer": "https://{oktaDomain}.com/oauth2/default",
    "Audience": "api://default"
  }
}

Recommended content

Still looking for help?
Loading
Okta Access Token Issued to Front-End application is Being Rejected by Resource Server