"403: Forbidden" returned by /oauth/token

I’m using the right credentials as far as I can tell, but /oauth/token is returning 403. Anyone know how to troubleshoot this?

I’m following the instructions at

Here’s what Cypress reports (secrets redacted with “xxx”):

The request we sent was:

Method: POST
URL: https://dev-rr9aqzra.us.auth0.com/oauth/token
Headers: {
“Connection”: “keep-alive”,
“user-agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36”,
“accept”: “/”,
“accept-encoding”: “gzip, deflate”,
“content-type”: “application/json”,
“content-length”: 264
Body: {“grant_type”:“password”,“username”:“xxx”,“password”:“xxx”,“audience”:“https://dev-rr9aqzra.us.auth0.com/api/v2/",“client_id”:“xxx”,“client_secret”:"xxx”}

The response we got was:

Status: 403 - Forbidden
Headers: {
“date”: “Wed, 29 Dec 2021 02:58:40 GMT”,
“content-type”: “application/json”,
“transfer-encoding”: “chunked”,
“connection”: “keep-alive”,
“cf-ray”: “6c4fc4980dd632fa-EWR”,
“cache-control”: “private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform”,
“set-cookie”: [
“did=s%3Av0%3A39b091d0-6853-11ec-a952-1f69958ecbc6.73sp%2BLVZU8NkrJ9VF2ofQoTj1p3hLn7xFlzW5Qj0FGA; Max-Age=31557600; Path=/; Expires=Thu, 29 Dec 2022 08:58:40 GMT; HttpOnly; Secure; SameSite=None”,
“did_compat=s%3Av0%3A39b091d0-6853-11ec-a952-1f69958ecbc6.73sp%2BLVZU8NkrJ9VF2ofQoTj1p3hLn7xFlzW5Qj0FGA; Max-Age=31557600; Path=/; Expires=Thu, 29 Dec 2022 08:58:40 GMT; HttpOnly; Secure”
“strict-transport-security”: “max-age=31536000”,
“vary”: “Accept-Encoding, Origin”,
“cf-cache-status”: “DYNAMIC”,
“expect-ct”: “max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct””,
“ot-baggage-auth0-request-id”: “6c4fc4980dd632fa”,
“ot-tracer-sampled”: “true”,
“ot-tracer-spanid”: “33a90f300a6b65c4”,
“ot-tracer-traceid”: “734a6576272b2ca1”,
“x-auth0-requestid”: “75d76217265dd20ca3dc”,
“x-content-type-options”: “nosniff”,
“x-ratelimit-limit”: “30”,
“x-ratelimit-remaining”: “29”,
“x-ratelimit-reset”: “1640746721”,
“server”: “cloudflare”,
“alt-svc”: “h3=”:443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400"
Body: {
“error”: “access_denied”,
“error_description”: “Unauthorized”

Hi there @skot :wave:

We need to take a deeper look at what’s going on here. When you get a chance can you snag us a HAR capture of the event occurring and send that paired with the tenant name in a direct message over to myself & @rueben.tiow in the same message? Thanks in advance!

1 Like

did you found nay solution? b’coz i was looking for the same!
Toys r us credit card


I wound up using the plugin at GitHub - sir-dunxalot/cypress-nextjs-auth0: Cypress commands to support Auth0 and Next.js
with this configuration:

// cypress/plugins/index.js
import dotenv from 'dotenv';
dotenv.config({ path: '.env.local' });

const encrypt = require('cypress-nextjs-auth0/encrypt');

export default (on, config) => {
  // required for cypress-nextjs-auth0/encrypt
  // see https://github.com/sir-dunxalot/cypress-nextjs-auth0/issues/23#issuecomment-958144472
  on('task', { encrypt });
  config.env.auth0Audience = process.env.AUTH0_AUDIENCE;
  config.env.auth0Domain = process.env.AUTH0_ISSUER_BASE_URL;
  config.env.auth0ClientId = process.env.AUTH0_CLIENT_ID;
  config.env.auth0ClientSecret = process.env.AUTH0_CLIENT_SECRET;
  config.env.auth0CookieSecret = process.env.AUTH0_SECRET;
  config.env.auth0Scope = 'openid profile email';
  config.env.auth0SessionCookieName = 'appSession';
  config.env.auth0Username = process.env.AUTH0_TEST_USERNAME;
  config.env.auth0Password = process.env.AUTH0_TEST_PASSWORD;

  return config;
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Hi @skot,

Thank you for sending over the HAR file.

After inspecting your HAR file closely, I found that it did not capture the events leading up to the request to /oauth/token where you observed the 403 Forbidden error.

Generally, the 403 Forbidden error happens when the authorization code passed in the request is invalid, revoked, or expired. This is detailed in the RFC 6749 - The OAuth 2.0 Authorization Framework specification.

Looking further, I found that you also received an “access_denied” and “unauthorized” error. This could happen when your request passed an incorrect client_id or client_secret. You may also need to make sure that these values match the ones provided in your application settings in the Auth0 Dashboard.

Once that is complete, you can log in and obtain the access token.

If you have any further issues, please don’t hesitate to reach out.

Thank you.