Auth0 Home Blog Docs

Calling /userinfo returns an unauthorized error



I’m getting a strange error while calling the /userinfo endpoint. I populate the header field Authorization with the access_token from the token operation:

GET /userinfo HTTP/1.1
 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qRkNPVFV5TnpOQk1qQTJRamt6UkVFMlFqazNRMEkwUVRCRVJETkNSakEwTnpFNE5rUkNNUSJ9.eyJpc3MiOiJodHRwczovL21vbnJpZm5ldC10ZXN0LmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNTkwNDk3ODkxNDEyNzc2MTE2MCIsImF1ZCI6Imh0dHBzOi8vbW9ucmlmbmV0LXRlc3QuZXUuYXV0aDAuY29tL2FwaS92Mi8iLCJhenAiOiJESkhLcmhWWTI5bjM2enVDN3RpVFQ5a3luMzQ4bjlmWSIsImV4cCI6MTQ5MTMxNTQxMywiaWF0IjoxNDkxMjI5MDEzfQ.UDzkFrU72nHBqk3YzELYbcW4XOemds91Q54MoUBQ5RcetJobwo7eENrLFP6JlfwNCIR1-XdyZfh0BlyxZlO9HZPaL_Aemxs2BKlFvB_b5BhjoYMtPK-J0-Oz923GzS0yAYg5DrT-rBhP2vXrZLfRtMrdqox-x2D8jBsCd5TFMvbYuo6HXmByCRfwZ9SwQAvZ2pUIntzgY12rfp7NOB6ECqX36PzP2NHwqAlR1WD_WCrl54j4VfnpfZd-6xdaMwV_x_sp08nNFqeMyl0bNcyBlHU6tcJwam5wnmNsfkStgreqdolzHtpLbB-0X82ic0GY-orIJPFzIjuyTw3bqa48vw

but I still get an error:

{"error":"unauthorized","error_description":"invalid credentials"}

Any idea why this happens?


The /userinfo endpoint can be called either with an opaque access token (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.

When the access token is in the JWT format, the token must list https://[your_account] as an audience(aud) in order for it to be valid to call the /userinfo endpoint.

The access token you’re using does not meet this requirement as it only lists https://[your_account] as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:

  • the API specified in the audience parameter does not use HS256 as the signing algorithm.
  • you specify a scope parameter that includes openid.

In your scenario it seems that you made a request that satisfied the first point as the Management API uses RS256, but you may have not provided a scope parameter that included openid.


Spot on! Solved my problem. thx -> added ‘openid’ to scope worked