Another Unauthorized New User

I am getting ‘unauthorized’ in response to a request for an access token. The problem is every context is different, and the only information returned is ‘unauthorized’. I can’t tell if this is from the auth0 side, a tenant issue or the client api. My script is below, thank you for the assistance.

import getToken from "../lib/getToken";

(async () => {
  const [email, password] = process.argv.slice(2);
  const access_token = await getToken(email, password).catch(error => {

import request from "request";
import util from "util";

const requestPromise = util.promisify(request);

export default async function(username, password) {
  const options = {
    method: "POST",
    url: `https://${process.env.AUTH0_DOMAIN}/oauth/token`,
    headers: { "content-type": "application/x-www-form-urlencoded" },
    form: {
      audience: process.env.AUTH0_AUDIENCE,
      client_id: process.env.AUTH0_CLIENT_ID_GRAPHQL,
      client_secret: process.env.AUTH0_CLIENT_SECRET_GRAPHQL,
      grant_type: "",
      realm: "Username-Password-Authentication",
      scope: "openid",

  const response = await requestPromise(options).catch(error => {
    throw new Error(error);
  const body = JSON.parse(response.body);
  const { access_token } = body;

  if (!access_token) {
    throw new Error(
      body.error_description || "Cannot retrieve access token."

  return access_token;
1 Like

Hi @lastneutrino,

Welcome to the Community!

Have you looked in your Auth0 logs to see if there is any more detail in the error? You may need to set up your app to use the grant-type password, have you done that in your application settings in the dashboard?

If you can’t figure it out from that, can you please DM me your tenant name and the client ID so I can take a look at your config. Thanks!


Thank you - and thank you for contributing to the community.

I got it working - when I went to the application setting like you recommended, i noticed the domain was missing the regional specifier.

Honestly I can’t tell where auth logs really are. When I look in my server directory, or my STDOUT, I don’t see any output other than “unauthorized”. Are the logs somewhere on the site? I only see the activity page, which doesn’t have the level of logging that would be useful. I feel like I’m missing all the lower level stuff that I’m used to looking at.

I should have also mentioned I am familiar with the “Logs” tab, but this is way too high level for me to even consider it a developer log. It’s valuable for the system level, but not the lower levels required for development.

What kind of granularity are you looking for?

Hi Dan -

For more granularity ( in terms of this problem) I had no way of telling of what ‘unauthorized’ meant - when in actuality i really had the wrong domain - so I wasn’t ‘unauthorized’ - in this case ‘unauthorized’ is a catch-all for ‘failure’. I assumed I had the right domain because of that error message. However that doesn’t indicate to me if the signed keys weren’t available to me to encode the jwt, or if my password itself wasn’t good - which i would assume would be ‘unauthenticated’. So with this, i would assume the following error possibilities since i didn’t have the regional domain:

  1. Domain request error
  2. Signing error
  3. Authentication error

“Unauthorized” doesn’t really map to any of those

Are you referring to the error you receive in the response? Unauthorized errors are typically intentionally vague to prevent things like enumeration attacks.

Can you please send me your tenant name in a DM and an approx time of the error so I can look at what you’re talking about?

that’s the problem - since i had the incorrect domain, there wouldn’t be any history of it, unless actually logged dumb requests like mine. :slight_smile:

…not sure there is much we can do if you are hitting the wrong domain. I’m going to mark this resolved.