Error "The audience claim for client_assertion must be the endpoint invoked for the request" when Using the okta-sdk-python SDK with Private Key Authorization
May 1, 2025
Okta Classic Engine
Okta Identity Engine
SDKs & Libraries
Overview
Configuring the Okta Python Management SDK (okta-sdk-python) to use Private Key Authorization and attempting to obtain an access_token from Okta, an HTTP 401 response is returned.
{
'message': "HTTP 401 {
'error': 'invalid_client',
'error_description': 'The audience claim for client_assertion must be the endpoint invoked for the request.'
}"
}Applies To
- okta-sdk-python
- Private Key Authorization
Cause
The aud claim in the JWT generated to send to Okta is set to the orgUrl, which is passed in a configuration object to the SDK.
from okta.client import Client as OktaClient
config = {
'orgUrl': 'https://{yourOktaDomain}',
'authorizationMode': 'PrivateKey',
...
}
okta_client = OktaClient(config)
The aud claim is compared with a strict string on the Okta backend.
Setting orgUrl as either https://{OktaDomain} or https://{OktaDomain}/ will behave the same for an http client, but will result as being unequal in a string comparison.
Solution
Verify that orgUrl is set with the correct Okta base URL for the org, without having a trailing forward slash '/'.
