How to update user from SPA ( use of auth0.js, auth0.Management.patchUserMetadata)


I’m trying to update some user metadata from a single page app by following the explanation given here;

I’m getting a 401 response with the body : {“statusCode”:401,“error”:“Unauthorized”,“message”:“Client is not global”}

Does anybody know what this indicates? And what I may do to resolve the issue?


It appears that you may be using the wrong token. When initializing auth0.Management, you should be using the id token you get from the login. As stated in the documentation, it provides an API Client for the Auth0 Management API (only methods meant to be used from the client with the user token). So first you’d have something like:

var webAuth = new auth0.WebAuth({
  domain: {YOUR_AUTH0_DOMAIN}, 
  clientID: {CLIENT_ID},
  audience: {AUDIENCE},
  redirectUri: {RETURN_URL}, 
  scope: 'openid profile email',
  responseType: 'token id_token'


webAuth.parseHash(function(err, authResult) {
    {here you can get the idToken from authResult.idToken}

This idToken is the one you need to use in the management request, as:

var auth0Manage = new auth0.Management({
  domain: {YOUR_AUTH0_DOMAIN},
  token: authResult.idToken

var userId = xxxxxx;
var userMetadata = {"test": "value"};

auth0Manage.patchUserMetadata(userId, userMetadata, function (err, authResult) {
  if (err) {
  } else {
    console.log("patchUserMetadata succeeded: " + JSON.stringify(authResult));

Thanks for the input.
I think my problem was that I started working with auth0.js version 9 (where it is the access token to be used and where I used a different initial audience and then tried using checkSession to get a token for another audience). After reverting back to version 8 and making sure to request the right scopes from the management api audience it is working.

Sorry for ressurrecting this threat, but I am on the same problem. I`ve tried to downgrade to v8 but it is not working.

My WebAuth config looks like this:

this.auth0 = new auth0.WebAuth({
  domain: env.auth0.domain,
  clientID: env.auth0.clientId,
  redirectUri: env.auth0.callbackUrl,
  audience: `https://${env.auth0.originalDomain}/userinfo`,
  responseType: 'token id_token',
  scope: 'openid profile user_metadata'

I guess that i am not able to make requests on the management API because my WebAuth config audience is pointing to /userinfo. But when I change to /api/v2/, it turns impossible to login.
I have already tried with both idToken and accessToken, the error responses are the following:

  • idToken: 401 “Invalid token”
  • accessToken: 400 “Bad HTTP authentication header format”

It`s an open source project, this is the current implementation:
WebAuth config:
Management API config:

What am I missing?
Thanks, Victor.

Ok, I just found the problem, changing the audience to /api/v2/ and doing the autentication flow it works as expected.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.