How to obtain user JWT token from username/password?

I am an Auth0 noob, and am able to create a new user with the Management API after I get a token for the using the Management API for my specific Auth0 application. My question is, how do I procure a authentication JWT for a specific user using username and password, but with using API, not a browser based method like Lock. Please provide examples with links to the correct URLs within Auth0. I have been looking for this for a while now with no success. If I may provide general advice on your tutorials and documentation. I find you folks overuse several terms that is horribly confusing. These terms are API, application, client and token. It would be a lot easier with pictures. Thanks.


The Resource Owner Password endpoint can obtain an id_token through the API (non browser-based). Please ensure to read the Remarks about setting the grant_types for your client to support this endpoint:

Thanks for your feedback, I have passed on your suggestions to our documentation team.

Well, I tried the resource owner password endpoint, and I keep getting the following error:
{"error":"unauthorized_client","error_description":"Grant type 'password' not allowed for the client.","error_uri":""} I think we could benefit from a simple workflow for non-interactive clients to create a user and then get a token for that user.


The following document outlines using the new grant types with Realm support: Call Your API Using Resource Owner Password Flow

You will need to PATCH your client to allow the grant_type, outlined here: Application Grant Types

Thanks, Prashant. I was able to get this working. So, I have management API working for creating users etc. and then the authentication API working for getting an access_token for a user. How does one validate a user for that access_token using your API (I assume use Authentication API, but what REST API)?.

You’ll need to elaborate on what you mean by “validate a user for that access_token using your API”. Are you talking about API Authentication and Authorization, or just validate the token in your application? Access_tokens are meant to be used to make API calls to your protected API. For your application, the id_token should serve the purpose.

Here’s what I want, in steps:

  1. Get a user registered using Mgmt API (OK)
  2. Get an access_token based on username and password (OK)
  3. For any user-specific REST API in my application (not the Auth0 application, my application server, for which I am using your service), I need the token access_token which I will validate with some API endpoint in Auth0 that helps me go “Oh, OK, this is a legit user asking for this REST API, and their account username is x.”
    What is the Auth0 API for 3? R you saying my app should store the result of 2?

The Authentication API is to use in your applications to authenticate a user. The Management API is for you to use as an administrator of your account, to control account/user/client settings.

Your scenario would use API Authorization flows. Please review the following documentation:

If you require further help with this, please create another question post.

My feeling is that Auth0 has become a really confusing, messy and over complicated solution. Also, this change was a major change to the workflow and it has not been communicated properly.


I agree. Auth0 looks and feels painfully over-architected, without simple solutions to common workflows.


Solved here: Simply getting a JWT in exchange for a user/pass

1 Like