Additional properties not allowed: scopes

Hello everyone,

I read these topics [ Updating Application Scopes via API ; I can not set API permissions from Postman ] but couldn’t understand how to solve my problem.

I’m simply trying to add more items to the scope list, but unfortunately, I keep returning this message below.

  "statusCode": 400,
  "error": "Bad Request",
  "message": "Payload validation error: 'Additional properties not allowed: scopes'.",
  "errorCode": "invalid_body"

I noticed that you prefer to send some request examples as well. Below is an example request.

curl -L -X PATCH '{resource_server_id}' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer MyValidToken' \
-d '{"scopes":[{"description":"Read Client Grants","value":"read:client_grants"},{"value":"read:permissions","description":"Test to add Read Permission Scope"}]}'

I’ve already tried to fully populate the object presented in the API example in the documentation here. And even then, it was not possible.

I think that problem is because I’m using an Application of type “Machine to Machine” but, I’m not sure.

Can someone kindly help me?

Some Possible Causes:

  1. Incorrect API endpoint or payload format.
  2. “Machine to Machine” application type may have limitations.


  1. Endpoint: Make sure you’re using the correct endpoint for updating the Resource Server.
  2. Payload: Ensure the payload is in the correct format as per Auth0 documentation.

Here’s a revised curl command:

curl -X PATCH '{resource_server_id}' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer MyValidToken' \
-d '{
  "name": "your_resource_server_name",
  "identifier": "your_resource_server_identifier",
  "scopes": [
    {"value": "read:client_grants", "description": "Read Client Grants"},
    {"value": "read:permissions", "description": "Read Permissions"}
  1. Machine to Machine: If you’re using a Machine to Machine application, verify if it has limitations on modifying scopes.

  2. Token: Make sure the token (MyValidToken) has the necessary permissions to update the Resource Server.

  3. Logs: Check Auth0 logs for more details on the error.

If the issue persists, consider reaching out to Auth0 support.

1 Like

Hi @suchislife801

I tried using your suggestion above and then :cry:

  "statusCode": 400,
  "error": "Bad Request",
  "message": "Payload validation error: 'Additional properties not allowed: identifier'.",
  "errorCode": "invalid_body"

I tried following the example from Auth0 API Documentation.

I only filled in the fields that are in the documentation and even so it returns the error message saying that the fields are invalid.

  "statusCode": 400,
  "error": "Bad Request",
  "message": "Payload validation error: 'Additional properties not allowed: scopes,name'.",
  "errorCode": "invalid_body"

// When I tried the complete object as documentation

"message": "Payload validation error: 'Additional properties not allowed: scopes,signing_alg,token_lifetime_for_web,allow_offline_access,name'.",

I also looked in the ‘Logs’ and there are no logs being written about this issue… :man_shrugging:

I tried by ‘Postman’ and there are no logs as well.

Seriously, I don’t know why this is happening!

And about the Limitations take a look on this screen.

What do you think about it?