Auth0 Home Blog Docs

Cannot login using email and password form




While Social Login works fine, I am not able to login using email and password. Lock says ‘Wrong Username or Password’.

This is a new installation and I’ve copied the login and get user scripts made available in one of the threads of this forum.

The login script test under custom database fails with the same error message.

However, the user exists in WordPress and the password is correct. I can login using the same set of credentials with the default WordPress login form. Besides, the site allows for anyone to register. The Lock url is

Edit: The alternate import/export extension to migrate WordPress users fails with a something like ‘required property not found: email’. The JSON file, exported from mySQL does have a user-email field. Is this a limitation of the free / trial version?

Can someone here please advice how to fix this?

Kind regards,


Sorry for the trouble @backpackingseries … did you try the troubleshooting steps in that thread? Did you do the automated setup with user migration or manually build out the script from that thread.

I would lean towards that script being incorrect if it fails in both places. If you can paste your script here (minus any sensitive data like the migration token), that might be helpful.



Thank you, Josh.

Yes, I did the manual configuration (because automatic failed) of creating application, database connection, etc. following Auth0’s tutorial docs and then looked up support threads. Here are the scripts I took from the Github link mentioned in the thread referred to above.

Login Script:

    function login (email, password, callback) {
      var request = require("request");"", {
        form:{username:email, password:password, access_token:"_secretaccesstoken_"},
      }, function(error, response, body){
        if ( error ) {
          return callback(error);
        var info = JSON.parse(body);
        if (info.error) {
        } else {
          var profile = {
            email_verified: true,
          callback(null, profile);

Get User Script:

    function getByEmail (email, callback) {
      var request = require("request");"", {
        form:{username:email, access_token:"_secretaccesstoken_"},
      }, function(error, response, body){
        if ( error ) {
          return callback(error);
        var info = JSON.parse(body);
        if (info.error) {
        } else {
          var profile = {
            email_verified: true
          callback(null, profile);

What am I missing? Could you please advice on the correct way?

Thank you
Kind regards,


Everything seems ok there at a glance. The actual script we use is maintained here but has not changed recently:

The best bet, in my mind, is to debug that script in the Auth0 dashboard by using console.log() and trying the 2 scripts. Keep in mind that it’s matching on email so that’s what you’ll need to use to log in.


Thank you for your support. Really appreciate it.

Before I head in that direction of console.log, I just wanted to verify whether how I input the access token generated from WordPress Auth0 plugin is correct way.

When I toggle the switch for User Migration in WordPress Auth0 plugin and save the configuration, it shows an error message that manual config is required and also shows a long token. However, the token is greyed out and I cannot copy/paste it. I had to manually enter it in the Login script in Auth0 Dashboard. For the length of that token, it can be a painful process!

Is it how the developers intended it to be? Or is something wrong with my WordPress Auth0 plugin setup?

Kind regards,


As I continue to troubleshoot, over the past few days, I have noticed the following type of entries in the error log in WordPress - Auth0 plugin

WP_Auth0_Routes::migration_ws_login 0 Algorithm not allowed
WP_Auth0_Routes::migration_ws_get_user 0 Signature verification failed, check "Client Secret Base64 Encoded" value matches your Auth0 client.
WP_Auth0_Api_Client::create_rule Account-Linking-Do-Not-Rename-Backpacking-Series unknown_code {"statusCode":401,"error":"Unauthorized","message":"Expired token received for JSON Web Token validation","attributes":{"error":"Expired token received for JSON Web Token validation"}}
WP_Auth0_Api_Client::get_token http_request_failed cURL error 6: name lookup timed out

I tried

  1. Toggle signing algorithm (HS/RS256) in dashboard and WP plugin - no success.
  2. Regenerating Access Token manually via Management API Explorer - no success
  3. Set API Token at /api/v2 - no change
  4. Verified Client Secret Base64 Encoded is disabled
  5. Unauthorize the default API Explorer App and use the tenant-created App instead (verified scopes) - This disabled the option to manually regenerate access token in the API Explorer tab of management API. So I re-enabled it. When I verify the scopes, the default API Explorer App has none. Whereas the tentant-created app has scopes as per the config guide / tutorial.

What else can I pursue please?

Thanks in advance,
Kind regards,


Forgot to add, I have defined a constant for MIGRATION_WS option (with a value of access token from Auth0 Dashboard -> Management API -> API Explorer) to rule out error in manually updating the value in DB Login script. After the constant, the DB Login Script error message changed from ‘Wrong email or password’ to ‘Unexpected end of JSON input’.


Oh, that’s no good. What browser are you using? Yes, it’s supposed to be disabled but I am able to copy that. Might be a cross-browser problem with using a disabled textarea element. I’ll look into a better way to output that.

It sounds like you might have that token entered incorrectly into Auth0. Can you Inspect Element and copy directly out of the DOM? Also sounds like your API token is not valid based on that Create Rule entry. Keep in mind that the API token is different from the migration token. The API token allows the WP site to communicate with the Management API for various tasks. The migration token is what allows users to authenticate with Auth0 using your WP database.

Sounds like you might have the 2 tokens criss-crossed. If you want to set a constant for the migration token, set AUTH0_ENV_MIGRATION_TOKEN equal to the token on the Advanced tab for User Migration:

Then make sure that’s the same in your DB scripts.

For the API token, generate that at Auth0 Dashboard > Management API > API Explorer and set the constant AUTH0_ENV_AUTH0_APP_TOKEN. Should see this in the admin if that worked:


Thank you very much for your patience and support. This is what I did:

  1. In Auth0 Dashboard: Generated a new API token and copied it.
  2. In WordPress Dashboard: Using inspect element, copied the Migration token.
  3. WP Config: Defined the two constants and then saved the plugin settings.
  4. Auth0 DB Scripts: Updated the Migration token and hit the Try button.

Unfortunately, it did not work. Errors noted:

  • Auth0 DB script returned an error as before wrong username or password. I used email id (not username).
  • WordPress - Auth0 - Error Log: WP_Auth0_Routes::migration_ws_login 0 Algorithm not allowed

I then went back to Auth0 dashboard and tried the import / export extension with a valid JSON file. However, that too throws an error:

Unable to import user "undefined":
            	Missing required property: email

Could you please suggest other steps to try fix this problem? Appreciate your support.

PS: My desktop environment is Firefox 61.0.1 (64-bit) on Ubuntu 18.04

Kind regards,


OK, I see where the error is happening but I’m not sure why it’s happening. It’s saying that the JWT algorithm for your migration token is incorrect but when it’s created, it’s forced to HS256, which is what it’s checked against.

Can you go here:

… and paste your migration token in there to decode it. The header should be:

  "typ": "JWT",
  "alg": "HS256"

… and the payload should be:

  "scope": "migration_ws",
  "jti": "SOME STRING"

Can you tell me if that’s not the case?


Thank you very much.

When I paste the migration token in the box titled ‘Encoded’, that box turns red and I see a message underneath saying ‘Invalid Signature’. However, the header and payload are exactly as you expected.

Kind regards

PS: I have verified both Auth0 Dashboard and WordPress plugin is set to RS256 and not HS256.


OK, that sounds correct then. You can paste your Client Secret in the signature box and that should validate (nothing is saved anywhere on that site).

That’s for the ID tokens from users, the migration token is created and validated as HS256.

So … at this point I’m a little stuck as to what to recommend next. I think that error is coming from here:

… but if the token you’re using is HS256, as it shows in that JWT tool, then that error doesn’t make a lot of sense. You could try adding ‘RS256’ to the array in that third parameter to see if you can get anywhere. Otherwise, I’d start debugging around there to see what’s going on.


Thank you for your support.

Yes, if anything comes up during troubleshooting I’ll update the status here.

Kind regards,



Sorry, but if I may continue to seek guidance on this issue, I want to clarify:

Does it matter for user migration process if the Default-App in Auth0 dashboard is deleted and instead, I’m using a tentant-created App with the default database? Should user migration work as designed in such a scenario?

Kind regards,


As long as the app is configured properly, it doesn’t really matter. Full configuration is explained here:


Great! Thank you. Yes, I did follow that guide.

Unfortunately, I cannot figure out what’s wrong here.

It just might be that the feature is not available for free plans.

Kind regards,


If you don’t have the switch for Custom Database then that might be the case:


Thank you for being around! Really appreciate.

Actually, few users registered on my site with the config set to ‘use my own DB’. What I mean is these are new users and not old WP users whom I am unable to migrate. But, if I try to toggle it OFF, it says something like ‘delete the users first’.

Does it mean that, after the trial period (2 more weeks), I lose the new user accounts or they will not be able to login using the Lock form?

Kind regards


I’m a little confused … you mentioned that the custom DB option was not there but it sounds like it is? If it is there then you’re fine, that won’t be removed for anyone who doesn’t have it but might not be included for new accounts in the future (sorry if that’s a little confusing).


My apologies. This is what the setup looks like at the moment.

Auth0 Dashboard - Connection for database is setup as follows:
Requires username - Yes.
Import Users to Auth0 - Yes
Disable Signups - No

Password Policy: Yes

Custom Database:
Use my Own Database: Yes
Database Action Scripts:
Login Script: As provided above
Get User Script: As provided above
[Try button returns an error: Wrong username or password]

Applications Using this Connection:
API Explorer Application - Yes
[Tentant’s] Application - Yes

Try Connection:
It Works - When new Auth0 user tries to login
Fails - When old WordPress user tries to login.

Thank you for the clarification that users registered using Auth0 lock form will not be removed after the trial period.

Sorry, I am not sure if I understood this - “but might not be included for new accounts in the future”.

Kind regards,