Any guidance on regular web app crdentials correct usage to access Management API?

h825 · January 29, 2024, 11:09am

Working on Remix app that reuses Management API client defined like this (to update user / metadata):

import { ManagementClient } from 'auth0';

const management = new ManagementClient({
    domain: getOrThrow("AUTH0_DOMAIN"),
    clientId: getOrThrow("AUTH0_CLIENT_ID"),
    clientSecret: getOrThrow("AUTH0_CLIENT_SECRET"),
});

...

return await management.users.update({ id: userId }, filteredUpdate);

It doesn’t work with message:

AuthApiError: Client is not authorized to access "https://MY_AUTH0_DOMAIN.au.auth0.com/api/v2/". You need to create a "client-grant" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants

Ok, reading article and trying to create grants exactly as described in the documentation:

curl -L 'https://login.auth0.com/api/v2/client-grants' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
    "client_id":"MY_CLIENT_ID",
    "audience":"https://MY_APP_DOMAIN.au.auth0.com/api/v2/",
    "scope":["create:client_grants"]
}'

and it fails with error

{"statusCode":401,"error":"Unauthorized","message":"Missing authentication"}

It seems like either I missing something or documentation is incomplete, but I cannot get what to fix.

All the credentials are used on the server side and never leaking to the client.

Please assist!

marcelina.barycka · January 29, 2024, 3:05pm

Hey there @h825 ,

Your Management API Client has to be added to your Auth0 tenant as an M2M application. This M2M application has to be Authorized for the Management API along with relevant permissions, like update:users (you can do all this via Auth0 dashboard):

In your case I believe you are missing the last part - permissions.

Please let us now how it goes!

h825 · January 29, 2024, 7:33pm

Thank you @marcelina.barycka. I try to do that but could you please point me also to the docs section which describes WHY it works this way. I checked “flows” section and it seems legit to use client id/secret for actions like this. Now I cannot get full work cycle.

marcelina.barycka · January 30, 2024, 11:15am

You’re welcome @h825 !

I believe you ask why in a backend service (like a regular web app) you still need to use the Management Api Client credentials and a linked to it M2M flow.

Any time you want to:

update user data
perform administrative tasks to your Auth0 tenant

you use the M2M apps granted relevant for these tasks permissions.

In contrast, if your backend service integrate with Auth0 to perform user’s authentication and authorization, you use flows reserved to Regular Web Apps.

system · February 13, 2024, 11:16am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom API access Management API Help auth0 , api , management-api	4	4790	November 11, 2021
Node-auth0 doesn't automatically obtain token for the management api Help management-api , users	4	468	April 2, 2024
Auth0 management-api for regular web application Help management-api , users	2	531	February 16, 2024
Allowing users to create api keys Help consent , application	2	16	September 10, 2024
Auth0Client for M2M? Help apis , application	4	312	April 22, 2024

Any guidance on regular web app crdentials correct usage to access Management API?

Related Topics