Action on M2M Resource Owner Password Grant


I am trying to write an action for limiting logins to a resource owner password grant, I’ve created an action on M2M flow:

const passwordGrantTestUsers = [""]
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.body.grant_type === "password") {
    if (passwordGrantTestUsers.indexOf(event.request.body.username) === -1) {
      api.access.deny('invalid_request', "Not a test account on a test client");

However, this never seems to run?

My tenant is a test one:

Could use some insight on this.

1 Like

Hi @techwolf12,

Welcome to the Auth0 Community!

Yes, what you observed is expected. The M2M Action flow only runs for the client credentials flow. And because you are trying to use resource owner password grant flow, the M2M action script won’t run.

In this case, you will need to use the Post Login Action flow instead.

Let me know if you have any questions.


Thanks for the info!

Managed to get it working with the following:

const passwordGrantTestUsers = [""]
exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction.protocol === "oauth2-resource-owner" || event.transaction.protocol === "oauth2-password") {
    if (passwordGrantTestUsers.indexOf( === -1) {
      api.access.deny('invalid_request', "Not a test account on a password grant client");

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.