The thing is that the token needs the update:users scope. You may receive a token with this scope using the request https://<tenantName>.auth0.com/oauth/token , however, it implies that client info will be visible (tried that with GitHub Project do my homework for me).