Access withApiAuthRequired endpoint in Next.js application with postman

Howdy all🤠,

we have a Next.js application up and running with some protected API endpoints.
Our app uses @auth0/nextjs-auth0 for authenticating users with Auth0 and everything works like a charm. However we want to use Postman now to call these endpoints for an easier debug experience.

Current Auth0 Setup:

  • Regular Web Application setup with client id and client secret
  • Custom API with M2M Authorized for Web Application

When I send a request to Postman to {{AUTH0_ISSUER_BASE_URL}}/oauth/token with this body:

{
  "grant_type": "client_credentials",
  "client_id": "{{AUTH0_CLIENT_ID}}",
  "client_secret": "{{AUTH0_CLIENT_SECRET}}",
  "audience": "{{AUTH0_AUDIENCE}}"
}

I get an access_token. However using this access_token for Bearer Authentication to one of my protected routes leads me to this error:

{
    "error": "not_authenticated",
    "description": "The user does not have an active session or is not authenticated"
}

This is a small snippet of an endpoint:

export default withApiAuthRequired(
	async (req: NextApiRequest, res: NextApiResponse<Data>) => {
		const session = await getSession(req, res);
		if (!session) {
			res.status(401).json({ error: 'No session found' });
			return;
		}
		...
}

I can’t make this example work without disabling authorization at all. I couldn’t also find a solution in the docs.

Is this even the correct approach or is there a misunderstanding?

Kind regards,
Robert