Add Permissions Via Management API

jvivanco · September 17, 2020, 7:09pm

Hi,

I’m trying to use the Management API to create a set of new permissions, but the request fails. I’m following the example from this page. Here’s the cURL command anyway though:

curl --request PATCH \
--url 'https://{MY_DOMAIN}.auth0.com/api/v2/resource-servers/API_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{ "scopes": [ { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" }, { "value": "PERMISSION_NAME", "description": "PERMISSION_DESC" } ] }'

I’ve replaced API_ID with the target API that I’m trying to add permissions to (AKA not the MGMT API), and I’ve replaced MGMT_API_ACCESS_TOKEN with the Management API token (not a token from any of the other APIs I have defined). I’m basically just following the instructions from the page.

This is the response JSON:

{"statusCode":401,"error":"Unauthorized","message":"Bad audience: https://{MY_DOMAIN}.auth0.com/api/v2/"}%

Have a somehow botched the setup for my cURL command (using the wrong token or API ID)? I’m not really sure why this fails.

Any insight would be much appreciated!

joseantonio.rey · September 18, 2020, 2:07am

Hi @jvivanco - welcome back to the Auth0 Community!

That error is provided when the token that you are using to authenticate has a different audience than what intended. Bear in mind that the audience parameter during your authentication flow will indicate who this token was intended for.

Could you try introspecting your token in https://jwt.io, and checking that the aud claim does mention https://yourdomain.auth0.com/api/v2/?

jvivanco · September 18, 2020, 4:38pm

Ah… sooooo, the issue was something really dumb on my part . I was logged in on our dev tenant on the Auth0 Mgmt Portal but on the docs page, I was logged into our prod tenant. When logged into the docs page, it’ll pre-populate the domain for you, and in this case it was using the wrong domain. Easy fix.

Side note: when I tested the request to add permissions, it actually replaced the entire permissions set with the ones from the request (not realizing the request to add permissions is PATCH request). So just a heads up to everyone else that might see this thread lol.

system · October 3, 2020, 4:38pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create a permission using a API Help management-api , resource-servers	5	606	December 19, 2023
401 "Bad audience:' when trying to access Management API Help management-api	19	19154	October 5, 2022
401 - Bad Audience Help management-api , users	3	1822	July 5, 2023
Adding audience to token Help jwt , auth0 , management-api	3	5434	May 25, 2024
Bad audience when calling Management API using Machine-to-Machine App Help management-api , access-token	5	2812	May 25, 2022

Add Permissions Via Management API

Related Topics