When using the OAuth2 JWT profile with Ory, the default required audience will be the

https://{project.slug}.<http://projects.oryapis.com|projects.oryapis.com>

domain associated with your Ory Network project. If you want to use your custom domain as the audience instead, you need to update the OAuth2 Issuer URL of your project to match your custom domain. You can change the issuer URL using the Ory CLI with the following command:

bash ory patch oauth2-config {project-id} \    --replace '/urls/self/issuer="<https://auth.myexample.org>"'

Replace

<https://auth.myexample.org>

with your custom domain. For more detailed instructions on how to change the OAuth2 Issuer URL, refer to the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/issuer-url). If you have recently changed your custom domain and are still experiencing issues, it may be due to a misconfiguration in your OpenID Connect Client or an incorrect issuer URL. You can view the issuer URL of your Ory Network project using the Ory CLI with the following command:

bash ory get oauth2-config {project-id} --format json | jq '.urls.self.issuer'

Use this value to understand if the server is incorrectly configured or if the client is using the wrong issuer URL. Sources: - [Troubleshooting OAuth2 JWT Profile](https://www.ory.sh/docs/troubleshooting/oauth2-trust-audience) - [Change the OAuth2 issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url)

If you have correctly updated the OAuth2 Issuer URL and it's still showing the previous URL in the JWT, it might be due to the nature of JSON Web Tokens (JWTs). One limitation of using JWTs as access tokens is that they can't be revoked immediately after being issued. Instead, revoking a JWT requires either waiting for it to expire or using a blacklist or revocation list to mark the token as invalid. You can check the validity of a JWT using OAuth 2.0 token introspection. To use token introspection to check whether a JWT has been revoked, the client sends a request to the authorization server's introspection endpoint, providing the access token in question as a parameter. The introspection endpoint responds with information about the token, including its validity, expiry time, and any associated metadata. Here's an example of a token introspection request using the SDK:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(    new Configuration({    basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,    accessToken: process.env.ORY_API_KEY,    }),   )      export async function introspectToken(accessToken: string) {    const { data } = await ory.introspectOAuth2Token({ token: accessToken })    data.active // true or false   }

If the token is still active, you might need to wait for it to expire or manually invalidate it. Sources: - [Revoking JSON Web Tokens](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#revoking-json-web-tokens)

If the OAuth2 endpoints on the Ory Network dashboard are not using your custom domain, it might be because the custom domain setup is not complete or not propagated yet. When you add a custom domain in the Ory Console, Ory will continuously recheck its status to see if it was configured with your registrar. Note that it can take up to 24 hours for your changes to propagate. You can manually recheck on the custom domains page, or check the value to set with your DNS provider by clicking the magnifying icon in the custom domains section. When the domain is reachable, it will have the "Active status". Once active, the Ory Account Experience is reachable at

https://<your-custom-domain>/ui/welcome

. If you have completed these steps and the issue persists, it might be a good idea to reach out to Ory support for further assistance. Sources: - [Waiting for propagation](https://www.ory.sh/docs/guides/custom-domains#waiting-for-propagation) - [Set up custom domains](https://www.ory.sh/docs/guides/custom-domains)