How can I fix "error: Unhandled server exception: secret or public key must be provided"

I am trying to use the user management API to get the users and their app_metadata.

I have generated a non-interactive client and added the scopes “read:user_idp_tokens” and “read:users”. The client secret and ID are being sent using the quick start code for jwt-express like:

const checkJwt = jwt({
   secret: jwksRsa.expressJwtSecret({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 5,
      jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
   }),

   // Validate the audience and the issuer.
   audience: process.env.AUTH0_AUDIENCE,
   issuer: `https://${process.env.AUTH0_DOMAIN}/`,
   algorithms: 'RS256'],
   getToken: getTokenFromRequest,
});

However I get this error “error: Unhandled server exception: secret or public key must be provided” which has been reported by other users here and here but I don’t see a solution.

Please, how can I fix this issue?

It seems to be an issue with the issuer param because I have a tenant that is still under the free trial and this functionality works but for my paid tenant it doesn’t.

When I used the tenant with the trial account I get the error { statusCode: 401, error: 'Unauthorized', message: 'Bad audience: https://domain.com/dev' }Maybe because I’m trying to use the Management API v2 with a test account.

Hi @peter.banjo

You might find this useful
[API Quickstart error: "UnauthorizedError: secret or public key must be provided" - Auth0 Community]

Thanks for the suggestion. Yes, I’ve read that question and I looked in my node_modules/ folder to see if there were any dependencies overriding the Array.prototype.find and didn’t find any.

You mention “I am trying to use the user management API to get the users and their app_metadata.” and “I have generated a non-interactive client and added the scopes “read:user_idp_tokens” and “read:users”.” This should be requested using the client_credentials grant, as you can see here: https://auth0.com/docs/api/management/v2/tokens

The error you mention is likely an issue with either the Issuer or the Audience you have specified, because we don’t block access to the management api for any type of accounts.

For anybody who lands here from google, like me: the jwks-rsa package filters out any keys that don’t have a matching “kid” (Key ID) with your token. You can find the KID in the header part of your tokens and in your jwks.json. Error message is confusing!

This would happen in a multi-tenant situation where you generate a token in a tenant and try to validate it using another. ex:

generate token from tenant “tenant1.auth0.com”, look in token header
(kid: MDE0NjhGNEY4REZCRTM1QTk5MzZDODAwNTZDQ0FCRUIyNkY0OEFEMQ)
try and validate token using jwksUri "https://tenant2.auth0.com/.well-known/jwks.json
(kid: N0Y2RDFCMTZFNzJGMzcxQ0JGN0Q5MTE4MEU0NEFBOTFGQzBFMzA5RQ)

1 Like