Backend ID token validation fails with audience mismatch error

Iris72 · July 11, 2025, 9:22am

I’ve implemented Google authentication in my mobile app and everything works fine on the frontend side. The login process completes successfully and I get the ID token like this:

var userAccount = await googleAuthService.authenticate();
var credentials = await userAccount.authData;
var idToken = credentials.token;

The token gets sent to my Node.js backend via HTTP request without any issues. However, when I try to validate this token on the server side, I keep running into problems. My backend validation code looks something like this:

let serviceConfig = require('./google-config.json');
let GoogleAuth = require('google-auth-library').OAuth2Client;
let authClient = new GoogleAuth(serviceConfig.client[0].oauth_client[0].client_id);

let validationResult = await authClient.verifyIdToken({
    idToken: idToken,
    audience: serviceConfig.client[0].oauth_client[0].client_id
});
let userInfo = validationResult.getPayload();

The verification always fails with the error message saying “Wrong recipient, payload audience != requiredAudience”. I’m using the same google-services.json configuration file on both the mobile app and the backend server.

I even tried creating new credentials through the Google Cloud Platform console and using those client IDs instead, but I get the exact same audience mismatch error. What’s the correct way to find the right client ID that matches the token’s audience for proper verification?

GrowingTree · July 21, 2025, 2:00pm

hmm, interesting - are you sure the token isn’t expired by the time it hits your backend? sometimes there’s a timing issue where validation happens too late. also, what’s the actual payload look like when you decode without verification? try logging jwt.decode(idToken) to see what audience value is actually there vs what you’re expecting.

Sam_Mischief · July 20, 2025, 8:26am

check for multiple client IDs in your config file - the array index [0] might not be the right one. I hit this same issue and was pulling the wrong client from the array. loop through all clients in the config to see which one matches your token’s aud claim.

Leo_Wand · July 17, 2025, 11:13pm

You’re likely using the web client ID instead of the mobile client ID for validation, which causes the audience mismatch. When authenticating via a mobile app, Google signs the ID token with the mobile client ID as the audience, rather than the web client ID. Check your google-services.json file to find the mobile platform client ID (for Android or iOS), and use that as the audience parameter in your backend validation code. I faced a similar issue with a React Native app and an Express backend, and switching to the correct mobile client ID resolved it immediately. The token’s audience must match the client ID from the app that requested it, which in this case is your mobile app.