Last Updated: Nov 4th, 2024
Overview
This article explains why a 401 Unauthorized Error is returned when calling an Auth0 endpoint with an Auth0-issued Access Token with the correct scopes.
Applies To
- Access Tokens
- Auth0 Endpoints
- 401 Unauthorized Error
Cause
Auth0 Access Tokens have an Issuer claim that shows the domain used to request the token. When requesting an Access Token from the Custom Domain with the target audience of the Auth0 Management API, the request to the API must be done using the same Custom Domain. Otherwise, the Access Token is considered invalid.
Auth0 issues Access Tokens for the domain to which the request was made and will reject tokens issued for other domains.
Likewise, passing an incorrect API identifier (audience) or using a Token with insufficient scopes will lead to invalid requests.
Solution
If a request to an Auth0 API returns a 401 Unauthorized error, make sure to:
- Use the same Auth0 Domain for both obtaining the Access Token and using it.
- Confirm the Audience for the Access Token and the Targeted endpoint or API match.
- Check the Scopes in the Access Token are sufficient for the endpoint being targeted.