Hello,
We are currently running into a weird problem with the PATCH User endpoint.
The documentation states that the phone_number property must be + followed by 1 to 15 digits. So during testing we tried to change the phone number for a user, and it results in a bad request:
PATCH {tenant_url}/api/v2/users/<auth0 ID>
{
"phone_number": "+4477722211
}
# Response:
{
"statusCode": 400,
"error": "Bad Request",
"message": "phone_number is not valid",
"errorCode": "invalid_body"
}
If I remove the + the error actually tells me what the documentation states, so why is the endpoint not accepting the number in the format provided by the documentation?
This user is NOT an SMS passwordless user either, just a record we created with testing, and we’re unable to change the phone number.
Hi @Arne_De_Herdt
The reason the endpoint is rejecting +4477722211 is that Auth0 applies strict geographical validation to the root phone_number attribute, not just a simple regex check. While your string matches the documented regex pattern, it fails the internal validation because it is physically impossible for a UK (+44) phone number to only have 8 digits.
To resolve this Bad Request and successfully test the endpoint, you must provide a phone number that has the correct length and structure for its designated country code.
If you are testing UK numbers, you can use Ofcom’s officially reserved “drama/testing” numbers, which will pass the strict validation but will not route to a real person.
Try updating your JSON payload to use this valid 10-digit format.
If your application requires storing phone numbers exactly as the user typed them (including extensions, spaces, invalid lengths, or local formatting without a +), you should not use the root-level phone_number attribute.
Kind Regards,
Nik