Auth0 Home Blog Docs

401 on /userinfo


I’m having some trouble obtaining user information with an access_token, and unfortunately a lot of the previous questions on this topic refer to which is now private or deleted.

My use case is to retrieve an id_token from a trusted system where there is no user interaction. The process I am using is this:

  1. Get access_token
    First I execute:
curl --request POST \
  --url '' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"password", "username":"admin", "password":"passwordgoeshere", "scope":"openid", "client_id": "clientidgoeshere", "client_secret": "clientscretgoeshere"

This successfully returns an access_token. The token uses RS256, and includes “” as an audience (see the image for the details of the JWT extracted using As far as I’m aware these are the two requirements that a token has to satisfy to call /userinfo.

  1. Call /userinfo

I then execute:

curl --url --header Authorization: Bearer accesstokengoeshere‘

The result of this is 401, with the WWW-Authenticate header saying

Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

What sequence of calls can I make with curl (because there is no interactive user and no browser) to get an id_token?


Hello! You should be getting an id_token back from your original call to /oauth/token. Can you confirm you see both an access_token and id_token? In that case, you won’t need to call userinfo (if the id_token gives you what you need).

If you need to make a call to userinfo, I don’t see any obvious issues with your steps here. One thing I would double check however is that you are using the access_token to call the userinfo API, not the id_token. Remember, the access_token is what you use to call APIs (including userinfo).

Hope this helps!