How do I create a token that will allow me to create a new client using the management API?

My tenant contains the default Auth0 Management API and a custom API. Using the .NET SDK, I want to create a new MachineToMachine client for the custom API.

I first want to create a token that will allow me to create a new client. I believe I need to use code similar to the following:

var restClient = new RestClient("https://[MY_TENANT]");
var request = new RestRequest("oauth/token", Method.Post);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\":\"[CLIENT_ID]\",\"client_secret\":\"[CLIENT_SECRET]\",\"audience\":\"[AUTH0_MANAGEMENT_API_AUDIENCE]\",\"grant_type\":\"client_credentials\"}", ParameterType.RequestBody);
RestResponse response = restClient.Execute(request);


  • What values should I use for CLIENT_ID and CLIENT_SECRET?
  • Do I need to manually need to create a “master” client to obtain the id and secret?
  • If I need to manually create a master client, to which API do I authorize this: the Auth0 Management API or the custom API?
  • What should I be using for the Audience value: the one for the Auth0 Management API or for the custom API?

I have tried manually creating a master client, however if I specify the audience as [AUTH0_MANAGEMENT_API_AUDIENCE], the token that gets generated fails with a “invalid token” error. If I specify the audience as [MY_CUSTOM_API_AUDIENCE], it fails with a “bad audience” error.

The generated token looks something like this:

  "iss": "https://[MY_TENANT]",
  "sub": "[CLIENT_ID]@clients",
  "aud": "[AUDIENCE]",
  "iat": 1711472848,
  "exp": 1711559248,
  "gty": "client-credentials",
  "azp": "[CLIENT_ID]"

What is wrong with the generated token? How can I create a valid token that will allow me to call apiClient.Clients.CreateAsync(clientRequest)?

Ah, OK, I’ve finally worked it out myself. I need to do the following:

  1. Manually create a new Custom API (in addition to the default Auth0 Management API).
  2. Enable the API Explorer for the default Auth0 Management API (this will create an API Explorer Application).
  3. Ensure the API Explorer Application is authorized for Machine-to-Machine with Auth0 Management API.
  4. Get the clientId and clientSecret for API Explorer Application, plus the Audience for the Auth0 Management API - these will be the values used to generate the token required to create a client.
  5. Instantiate a new ManagementApiClient using the token and a Uri based on the Auth0 Management API Audience.
  6. Submit a ClientCreateRequest, which will generate a new custom client application (note the new customClientId and customClientSecret)
  7. Submit a ClientGrantCreateRequest, using the Audience of my Custom API, which will ensure that the new client application is authorized for my Custom API.

At the end of this, I now have a customClientId, customClientSecret and customApiAudience that can be used to generate tokens for accessing endpoints secured by my Custom API.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.