Add Permissions Via Management API

Hi,

I’m trying to use the Management API to create a set of new permissions, but the request fails. I’m following the example from this page. Here’s the cURL command anyway though:

curl --request PATCH \
--url 'https://{MY_DOMAIN}.auth0.com/api/v2/resource-servers/API_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }'

I’ve replaced API_ID with the target API that I’m trying to add permissions to (AKA not the MGMT API), and I’ve replaced MGMT_API_ACCESS_TOKEN with the Management API token (not a token from any of the other APIs I have defined). I’m basically just following the instructions from the page.

This is the response JSON:

{"statusCode":401,"error":"Unauthorized","message":"Bad audience: https://{MY_DOMAIN}.auth0.com/api/v2/"}%

Have a somehow botched the setup for my cURL command (using the wrong token or API ID)? I’m not really sure why this fails.

Any insight would be much appreciated!

Hi @jvivanco - welcome back to the Auth0 Community!

That error is provided when the token that you are using to authenticate has a different audience than what intended. Bear in mind that the audience parameter during your authentication flow will indicate who this token was intended for.

Could you try introspecting your token in https://jwt.io, and checking that the aud claim does mention https://yourdomain.auth0.com/api/v2/?

Ah… sooooo, the issue was something really dumb on my part :grimacing:. I was logged in on our dev tenant on the Auth0 Mgmt Portal but on the docs page, I was logged into our prod tenant. When logged into the docs page, it’ll pre-populate the domain for you, and in this case it was using the wrong domain. Easy fix.

Side note: when I tested the request to add permissions, it actually replaced the entire permissions set with the ones from the request (not realizing the request to add permissions is PATCH request). So just a heads up to everyone else that might see this thread lol.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.