Generate token in WebApi. Error: "Grant type 'client_credentials' not allowed for the client."

I'm trying to generate a token in a WebApi so I can call the ManagementApi to update a users's meta_data. I used code that previously worked for me and received the error:

 "error":"unauthorized_client","error_description":"Grant type 'client_credentials' not allowed for the client."

I understand the grant type of 'client_credentials' cannot be enabled for clients in the dashboard any longer and when I create the client I need to specify that the endpoint is secret so I added the following to my code:

token_endpoint_auth_method = "client_secret_post"

The code I am using to generate the token is below

	private async Task GetToken() 
        var client = new HttpClient();
            new MediaTypeWithQualityHeaderValue("application/json"));

        string payload = JsonConvert.SerializeObject(new
            client_id = _auth0ClientId,
            client_secret = _authClientSecret,
            audience = $"https://{_auth0Domain}/api/v2/",
            grant_type = "client_credentials",
            token_endpoint_auth_method = "client_secret_post"

        var content = new StringContent(payload, Encoding.UTF8, "application/json");
        var stringTask = client.PostAsync($"https://{_auth0Domain}/oauth/token", content);

        var msg = await stringTask;
        var result = await msg.Content.ReadAsStringAsync();
        var token = JsonConvert.DeserializeObject<dynamic>(result);

        return token.access_token;

Even with the token_endpoint_auth_method set I still get the same error. Am I setting it in the correct place?

To get a management API v2 token you’ll need to use an authorized Non Interactive client. You can check a step by step tutorial on how to create it and authorize it here: Management API Access Tokens . Make sure to authorize it for the Auth0 Management API under the Non Interactive Clients tab in the APIs section of the dashboard, with the required scopes that you need for your Management API requests. (You can check the scopes under each request, in the management API documentation )

To use the Client Credentials grant
you have to set a Token Endpoint Auth
Method other than “none”.

On your Auth0 Dashboard make sure that the Non Interactive client you’re using has the Token Endpoint Authentication Method set to something other than “None”, most likely it should be Post.

Once that is done, you might need to enable the client credentials grant. To enable it, scroll down in the client settings page and click Show Advanced Settings. In the Grant Types tab, you’ll be able to enable the Client Credentials grant.

The request to get a Management API v2 token should then look like:

curl --request POST \
  --url 'https://{{YOUR_AUTH0_DOMAIN}}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{ "grant_type" : "client_credentials", "client_id" : "{{NON_INTERACTIVE_CLIENT_ID}}" , "client_secret" : "{{NON_INTERACTIVE_CLIENT_SECRET}}" , "audience" : "https://{{YOUR_AUTH0_DOMAIN}}/api/v2/" }'
1 Like

That worked. Thanks.