My application has a React frontend, using auth0-spa to handle authentication. My backend is .Net Core 3.0+ web API. I want to update a user’s properties when a user calls a certain endpoint on my backend system. When I use the client.Users.UpdateAsync method in the SDK, I receive the following error:
{
“statusCode”: 403,
“error”: “Forbidden”,
“message”: “User to be acted on does not match subject in bearer token.”,
“errorCode”: “unowned_resource”
}
All other methods in the SDK has worked perfectly without any problems. I am calling Auth0 using a Machine-to-Machine token and the Auth0 API currently has all scope permissions selected (for testing). I am trying to understand what this error means and why this specific method of updating a User throws an error, where all other methods work fine with the tokens I’m generating. Is there something special about the User endpoints on Auth0 that require different tokens or permissions I’m not aware of?