401 Unauthorized Post /oauth/token using Resource Owner Flow

Express App:6001, React App:3000 .

  var data = {
    grant_type: 'password',
//    client_secret: '---------------',
    audience: 'https://dev-49v8whrc.us.auth0.com/api/v2/',
    // scope: "read:sample",
    password: req.body.password,
    username: req.body.username,

axios.post('https://dev-49v8whrc.us.auth0.com/oauth/token', data, {

    headers: { 'content-type': 'application/x-www-form-urlencoded' },

  }).then((response: any) => {



  }).catch((error: any) => {




I’m sure of the user credentials and client_id. I signed up the user using the sign-up endpoint and it works. Also tried including secret and audience keys. Unsure how I’m receiving the error, any hint in what I’m doing wrong? It also works on the debugger but not on my app ;/

Hey @ibrahimsam96,

Thanks for getting in touch with us at Auth0 Community.

I note that you have client secret commented out, this will need to be present. I tested with the curl below successfully:

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data 'client_id=eLltTv5EmEXOBeZDrjMa4VjGVVVXgc3o' \
  --data 'client_secret=YOUR_CLIENT_SECRET' \
  --data 'audience=https://YOUR_DOMAIN/api/v2/' \
  --data username=USERNAME \
  --data password=PASSWORD

Let me know if you’re still having issues.

Warm regards.

1 Like

I’m having the same problem whether I include the secret or not.

In the Resource Owner Password Flow - Only the grant_type,client_id,username,password are required.

What application type I should select for the above endpoint to work?. Currently in the api debugger, Machine to Machine with None for the token endpoint works but unfortunately returns an error when I run it from my app

Hi @ibrahimsam96
I used a native app in my testing, does it work if you run your parameters as a curl statement as per my example, this will help troubleshoot the issue, also ensure the password grant is enabled on your client?

Look forward to hearing from you.
Warm regards.

1 Like

Hello everyone,

I had this problem, and noticed that in Postman or with cURL I received the access token with no problems, while when I was trying with Node (axios) it did not work. I stumbled across this, and just deleting the headers in the request fixed the issue.



Thanks for sharing that with the rest of community!