Auth0 Home Blog Docs

Auth0 Lock React - Insufficient Scope



I try update the current user email but the Auth0 API response returns 403 error with this payload:

   "message":"You cannot update the following fields: email",

But I pass the scope when I instantiate the lock.

this.lock = new Auth0Lock(clientId, domain, {
      auth: {
        redirectUrl: 'http://localhost:3000/login',
        responseType: 'token',
        params: {
          scope: 'openid email user_metadata app_metadata picture update:users'

My script to send the PATCH:

updateProfile(userId, data){
    const headers = {
      'Accept': 'application/json',
      'Content-Type': 'application/json',
      'Authorization': 'Bearer ' + this.getToken() //setting authorization header
    // making the PATCH http request to auth0 api
    return fetch(`https://${this.domain}/api/v2/users/${userId}`, {
      method: 'PATCH',
      headers: headers,
      body: JSON.stringify(data)
    .then(response => response.json())
    .then(newProfile => {
    }) //updating current profile

Any ideas?


There are a few situations worth mentioning that can lead to the observed behavior. Requests for API authorization access tokens require an audience to be specified and your request does not include one. It’s possible to configure a default audience, but I’m assuming that is not the case because if you configured the Management API as a default audience you would likely be encountering a different error.

Due to the sensitive nature of the operations performed through the Management API most of the scopes are not issued as part of end-user flows. For example, requesting update:users with the Management API audience should result in an error because that scope is not granted to end-users directly.

The recommended approach to obtain Management API tokens includes using a client credentials grant and it’s documented at (

If you want to implement an administration back-end that allows to manage your account the simplest approach would be to implement it as a client application that is able to perform client credentials grant (SPA’s do not meet that requirement). You would also have to implement in such way that only highly privileged users could be able to access this client application.

In conclusion, trying to obtain Management API tokens directly from an end-user flow in a SPA is not recommended/possible; hence the behavior you’re experiencing.