Common Questions About Application API

Q: How to investigate the invalid token error or access denied error

Error: InvalidTokenError: Invalid Compact JWS
at /node_modules/express-oauth2-jwt-bearer/dist/index.js:271:19
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async /node_modules/express-oauth2-jwt-bearer/dist/index.js:354:24

When trying to log in, received the Service not found error. http://localhost:3000/?error=access_denied&error_description=Service%20not%20found%3A%20https%3A%2F%2FYOUR_DOMAIN%2Fapi%2Fv2%2F&state=MTk2UnQ5aW11R0JBSXJ6VnZDOUF2YWZOS0VxNWdDeGpZaFBpNWtEUGkuVw%3D%3D


  1. Check the error in the Monitoring → Logs
  2. Make sure parameters in the auth_config.json file such as domain, clientId, and audience match the configuration in the Auth0 dashboard.
  3. If the error persists, generate a HAR file for the complete flow for further investigation. Instructions for this are here.

Q: Adding API permissions overwrites previous permissions

A: When we send a PATCH request to https://URL/api/v2/resource-servers/API_ID, all the existing permissions/scopes are overwritten and only the permissions sent in the request are present.

PATCH requests will overwrite existing permissions with the content of the request.
To update permissions, first get the existing permissions with this endpoint, make changes to the permissions, and then send the PATCH request to make the update.

Here is a sample body of the PATCH request:

{ "scopes":
"description": "Read Client Grants",
"value": "read:client_grants"
"description": "Create Client Grants",
"value": "create:client_grants"

Q: Where to Get Postman Collection for Auth0 Management API

A: The Postman collection for the Auth0 Management API is accessible from this link.

Please be aware that there might be some inconsistencies when using the Postman collection due to updates to the API. You can verify against this API document.

Q: When we use the access token to call the /userinfo endpoint, some information is missing.

A: with the Auth0 Access token, the /userinfo endpoint returns the user’s profile details. It works only if openid is granted as a scope when generating the access token.

OpenID Connect specifies three scopes related to user profile information: openid, profile, and email. This article explains the details of the scopes.

We can use the Authorization API Debugger Extension to generate the access token with the scopes.

Q: How to get the refresh token together with the access token and the id_token

A: In order to retrieve a refresh_token, you need to include the scope: offline_access at the time you do the /authorize call. You can check this in your application code and add it.

The first example in this article is an /authorize call with the offline_access scope.

1 Like