Auth0 Home Blog Docs

Calling the authorization extension API from a rule



I want to call the authorization extension API from a rule in order to obtain the full group details for a user (ie. including the groups description)

I took the code from the rule that’s generated by the extension, and made a new rule that executes the following query:

  // Get the groups for the user.
  function getUserGroups(user, context, cb) {
      url: EXTENSION_URL + "/api/users/" + user.user_id + "/groups",
      headers: {
        "x-api-key": "94ec..."
      timeout: 5000
    }, cb);

But the request fails with a missing authentication error:

12:35:41 PM: 180220/113541.054, [log,error] data: Request: GET /api/users/auth0%7C5968d1...7c6feca7/groups
12:35:41 PM: 180220/113541.055, [log,error] data: Response: {
  "data": null,
  "isBoom": true,
  "isServer": false,
  "output": {
    "statusCode": 401,
    "payload": {
      "statusCode": 401,
      "error": "Unauthorized",
      "message": "Missing authentication"
    "headers": {
      "WWW-Authenticate": "Token"

Should the x-api-key token also work for this endpoint, or do I need to make a request to /oauth/token to get my own access_token each time?


You need to use a bearer token that contains the necessary scopes.

To retrieve such a token, you’ll first need to create a non-interactive client and grant it access to the Authorization extension API by going to the APIs section, clicking the auth0-authorization-extension-api API and then authorizing it under the Non Interactive Clients tab. This is more or less the same process as retrieving a token for the management API.

You can then request the token like so using the client ID and secret of your non-interactive client:

curl --request POST \
  --url \
  --header 'content-type: application/json' \
  --data '{"client_id":"...","client_secret":"...","audience":"urn:auth0-authz-api","grant_type":"client_credentials"}'

With this token, you will need to specify it in the Authorization header rather than use the x-api-key header when you make the request, e.g.:

headers: {
    "Authorization": "Bearer <token>"


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.