It looks like the OAuth parameter object is missing a audience option. If omitted, you are likely only getting an access_token valid for the /userinfo endpoint (on Auth0 itself, not your API). If that was available, you shouldn’t need to proxy Auth0.