How to enable changing password/email by user in iOS Client

Hi, I have been struggling with the Management API on iOS. I have an app that uses Auth0 for authentication in pair with graphcool. I have implemented a client for my app that handles Auth and have added a method that wraps up Auth0s own patch function like so:

    .users(token: accessToken)
    .patch(userInfo.sub, attributes: attributes)
    .start { 
    // ...

The problem is that I am getting an error all the time. I am not sure which token should I use either.

I get the following response when using access-token:

Failed with unknown error [“errorCode”: Bearer, “statusCode”: 400, “message”: Bad HTTP authentication header format, “error”: Bad Request]

… and with id-token:

Failed with unknown error [“attributes”: { error = “Invalid token”; }, “statusCode”: 401, “message”: Invalid token, “error”: Unauthorized]

I am really desperate at the moment and have wasted a lot of time with no success.
Maybe you guys know what am i doing wrong?

I am using RS256 for token encoding with OIDC enabled.


@witek you should be using the access_token when talking to the Management API (or any API) . The error message you about bad format is interesting. When you are sending in the JWT are you using this header format?

Authorization: Bearer xxx.yyy.zzz

You are receiving a bad request, because Auth0 thinks you are not sending in the JWT properly. The SDKL should do this for you, but it is worth double checking.

Also, can you make sure the access_token is a valid JWT (meaning it is a JWT and not a 32 character opaque string). Also, how are you fetching the access token (e.g. what scopes and audience is set)? Can you provide the body of the JWT?

Hi! thank you for your response. Well it seems my refresh token is in wrong format.

Some refresh_token from new account i just created: Odep0npX4rqJ3vdAyRKyM1qGBnZ4yw9y

the scope is: openid profile email offline_access access_token update:users update:current_user_metadata

the audience is:

@witek the refresh_token format should not be of a concern. That token is used to get a new access_token after the access_token expires. In the token response you should see access_token which is a JWT. Since you are trying to get a token for the Management API I would expect the audience to be something like this:


ah! of course I meant access_token. my mistake. After updating my audience as suggested I received following error:

["statusCode": 404, "message": Not Found, "error": Not Found]

@witek changing the audience shouldn’t return a 404. Are you changing the audience or did you change the domain of your configuration?

I have change domain in the Auth0.plist. What should I change then? I am not making the api calls directly, I am using Auth0 iOS library as shown above in the first post.

@sgmeyer, This is the documentation of the method I am using:

Auth0 Management Users API v2 that allows CRUD operations with the users endpoint.

Auth0.users(token: token)

Currently you can only perform the following operations:

  • Get an user by id
  • Update an user, e.g. by adding user_metadata
  • Link users
  • Unlink users

Auth0 domain is loaded from the file Auth0.plist in your main bundle with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  • parameter token: token of Management API v2 with the correct allowed scopes to perform the desired action

  • parameter session: instance of NSURLSession used for networking. By default it will use the shared NSURLSession

  • parameter bundle: bundle used to locate the Auth0.plist file. By default is the main bundle

  • returns: Auth0 Management API v2

  • important: Calling this method without a valid Auth0.plist will crash your application

public func users(token: String, session: URLSession = .shared, bundle: Bundle = .main) -> Users {
    let values = plistValues(bundle: bundle)!
    return users(token: token, domain: values.domain, session: session)