Auth0 Home Blog Docs

401 on /userinfo


I’m having some trouble obtaining user information with an access_token, and unfortunately a lot of the previous questions on this topic refer to which is now private or deleted.

My use case is to retrieve an id_token from a trusted system where there is no user interaction. The process I am using is this:

  1. Get access_token
    First I execute:
curl --request POST \
  --url '' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"password", "username":"admin", "password":"passwordgoeshere", "scope":"openid", "client_id": "clientidgoeshere", "client_secret": "clientscretgoeshere"

This successfully returns an access_token. The token uses RS256, and includes “” as an audience (see the image for the details of the JWT extracted using As far as I’m aware these are the two requirements that a token has to satisfy to call /userinfo.

  1. Call /userinfo

I then execute:

curl --url --header Authorization: Bearer accesstokengoeshere‘

The result of this is 401, with the WWW-Authenticate header saying

Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

What sequence of calls can I make with curl (because there is no interactive user and no browser) to get an id_token?