diff --git a/authority/authorize.go b/authority/authorize.go
index 91f1b3cb..8f916e1d 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -434,7 +434,7 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.
 
 	audiences := a.config.GetAudiences().Renew
 	if !matchesAudience(claims.Audience, audiences) {
-		return nil, errs.InternalServerErr(err, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
+		return nil, errs.InternalServerErr(jose.ErrInvalidAudience, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
 	}
 
 	// validate issuer: old versions used the provisioner name, new version uses