Auth0 Home Blog Docs

How is the JWT for .Net Core API Scope created?



I have followed the tutorial here:

Getting the access token directly from the API test tab is fine and works, but I am having trouble generating an access token with the correct scope.

Just to confirm the property is “scope” (for API) not “scopes” (which is uses for app JWTs)?

I am using the Jose.Jwt .Net Library library and generating a JWT similar to how I use it for app JWT creation, but changed “scopes” to “scope” and creating the read:messages and create:messages (to work with the example app) as:

var scope = new
 messages = new 
actions = new] {"read", "create"}

The access token created does validate on the api/ping/secure call but on the api/messages there are no scopes coming through?

any pointers?


Looking at this page:

I can see that the scope needs to be specified as “scope” and is a space delimited string.

Its also indicates that the algorithm needs to be HS256

The API signing algorithm when I created the API in Auth0 defaults to RS256 and the corresponding Client automatically created has an the default OAuth JsonWebToken Signature algorithm set to HS256. Do these need to be the same or changed to make it work?

Leaving the defaults above and creating a JWT access token is still not working? The documtenation is still very hit and miss and only leaves trial and error and a lot of searching of the documentation and going in circles. Surely this is a straight forward one for support to answer? and/or update the tutorial with links to the correct info to create the access token.

…or am I really missing something…

Can I in fact use the Jose.JWT library to create the access token or do I need to call an Auth0 API to do this?


Hi @jerrie ,

The technology is .Net Core 2.

I need customers to signup and register for the service (multi-tenant app).
(I have implemented web app authentication in .Net Core 1.1 for multi-tenancy and somewhat familiar with how that works) So users can signup, login and add additional users to their tenant. This uses a single Auth0 Client (OIDC compliant) with user/app meta data and rules to handles the multi-tenancy etc. [this needs to be upgraded to .net core 2 so I assume this is minimal when I create a new client] This part of the app is essentially the admin interface, the rest of the functionality is via integration.

With this particular app, there are 2 parts that require integration:

  1. A Web API (to upload files and add users who have visibility on those files)
    This will be used via the customer app.

  2. A page that provides specific functionality to view these files in a particular way, for specific users This page will be part of our application. (the customer app will open a new window/tab in a browser or create an iFrame within the their application)

The first part is to expose Web API access, accessible from their server, this requires securing and was looking at this example;
Is this correct for server to server communication?
in this case the customer needs to get the access token, how do they get this to then call the api endpoints? What do we need to supply in our admin interface, eg an API key etc?

For the second part of the app, we need to authenticate/authorise users for the iFrame or page that they open within our app, the customer users will login to their app (which can be any technology that we don’t know about), but we need to know who each user is and their permissions, which they will setup via our api.
In this case we assume that the customer app will get an access token via our Web API and pass this to the page which will need to make javascript calls to our server.
(This could be seen as an SPA app or a case for SSO) but the customer users will only login to their app and not have to login to ours? We can build functionality to redirect users back to the customers app if we find them logged out etc, so for instance the customer app would need to generate new tokens/key to re-authenticate etc to pass what they need back to our page?

Does this make sense, I am trying to translate this into Auth0 workflows but can’t map this in my mind, do we need to implement 3 different workflows (admin login, api auth, SPA/page auth)? If you could provide information on how this cold work, that would be greatly appreciated.


An access_token will be (optionally) returned to you during the authorization flow. So yes, Auth0 will give you an access_token.

But I will need more details as to what sort of client application you are developing. What technologies are you using to develop the Client application which authorizes the user and calls the API?


since I cannot edit a comment… the logistical labs one doesn’t seem to be the right one.


It turns out you can edit, but when editing, there is not text to edit, so do we copy and paste?

On the API text tab, the c# example references “RestClient”, which library is this, the Logistical labs one doesn’t seem correct? Also, is this call not available in the Auth0 c# library? if it is can we please have examples using the C# library, this will tie things together?


It’s the “RestSharp” Library


But how do specify scope when we request that access token?


But how do specify scope when we request that access token? (original question) I there no technical support person who can just answer this?


I am trying to answer your question, but I cannot do that until you answer my question which I asked before:
What technologies are you using to develop the Client application which authorizes the user and calls the API?

There are many different ways in which you can get an access_token, depending on the authorization flow you use. See

Each of those flows work differently, and I cannot answer you as to which one you should use, and how to use it, until you tell me exactly how you intend to call the API.


You need to be specific.

  • What sort of application? (i.e. CLI, Single Page Application, Mobile application, etc)
  • What technologies are you using to develop this application? (Angular, React, Swift, .NET, UWP, etc…)


Hi @jerrie

I am replying on this comment as I can’t seem to reply on your latest comment about supplying more info.

I updated the question with a lot more info? I am pretty sure that outlines the technology and what I want to do? I could not fit that into a “comment”


For the server-to-server communication you will need to use Client Credentials flow to obtain an access token:

From .NET you can simply use our Auth0.NET SDK to execute this flow. The code will look something like the following:

var authenticationApiClient = new AuthenticationApiClient(new Uri(""));

// Get the access token
var token = await authenticationApiClient.GetTokenAsync(new ClientCredentialsTokenRequest
    ClientId = "CLIENT_ID",
    ClientSecret = "CLIENT_SECRET",
    Audience = "YOUR API IDENTIFIER"

For the ClientId and ClientSecret you will need to register a “Non Interactive” client in the Auth0 Dashboard, and then specify the Client ID and Client Secret for that Client. For the Audience, you will need to specify the API Identifier of your API.

One thing though; From the way you describe it, it sounds as though each of the tenants should have their own Client in Auth0. So I would suggest reading up on 3rd Party Clients and use Dynamic Client Registration to register a client for each of your tenants. You should then surface their own Client Id and Client Secret for the dynamic client you created for them in the management section of your own website.

For the JavaScript side, you should use the Implicit Flow to authorize a user, and then obtain an access_token which your JS app can store and pass on to the API. You can see our SPA Quickstarts for more information on how to do this depending on the technology you are using.


Hi @jerrie1

Thanks for that, I will do some more basic tests and try out all these flows for each aspect of the application, to be fair I have read most of the .net related documents but it seems I need to start again with the .net Core 2.0 stuff.

Regarding the tenants, I have implemented this before using a single Client and managing the tenant associations using meta-data where a user could potentially belong to multiple tenants, Creating clients and database connections programmatically and storing all the client keys in my our own database seems more risky and creates lot more moving parts but will look at the documents again…

Some feedback on documentation:
I appreciate the documents assume some level of knowledge about o-auth, the various workflows and security concepts in general, but I would assume those most developers are not all involved with security all the time, keeping up with changes and having the need to remember all the minute details… developers are usually working on other features using other expertise and only come back to the security time to time when things need upgrading or additional security features added. For this reason, the documentation could be more educational and a bit more verbose, this would help considerably to keep people up to speed as well as getting developers on track with updates and new development. I realise there are links to other information, but a quick summary with out losing focus and linking to another web of information could help keep things together. Also the example code uses a mix of SDK code and direct lower level code, if all of the examples only used the SDK, then it would save time in trying to discover if/where that is available in the SDK and would provide additional help for the SDKs.
In come cases, the link to make a suggestion (which link to github I think) don’t work with 404’s. but will try that again when I go through the docs again.


Thanks for the feedback on the docs! I will pass it along to my fellow team members on the docs team to also take note of, so we can try and improve this :


Hi @jerrie I have come back to this and will create a non-interative client for each of our tenants and expose the auth0 clientId and secret to the tenant admin users. I assume they will create a JWT for authorization in the same way we do?

I can successfully create interactive clients, and have created an API in Auth 0, but how do I authorise these clients via the ManagementAPI? I cannot see documentation on updating an API? The new clients are set an unauthorised in the API settings?


I belive you should use the /api/v2/client-grants endpoint.

See this doc:


Thanks, will try that. Is there a C# example using the Client library and not direct/RestClient based?
Feedback: This is a great example of where the documentation needs to point to the available tools/libraries not re-create client library code. Its not clear if these calls are in fact available in the client library, if not the library should be updated first, then documented using that? do I now look for the code in the library or just use the example, I can only continue to feed back this kind of thing as its frustrating spending a lot of time digging for info in all the docs.


The best I can offer you at this stage is to have a peek at the integration test for the Client Grants endpoint:

You will see it creates a client and a resource server (API), and then it creates the client grant which authorizes that client to call the API