Auth0 Home Blog Docs

Insufficient Scope but my token contains required permissions

Hi all, my first post here. I could not find anything relating to the issue that I am having and I’m hoping that someone can help me in order to save me some time. I am also new to using Auth0 and have started building an application that uses Auth0.

As the title suggests, I have a Node JS API which has a GET /users endpoint. This endpoint checks for a JWT and it also checks if the JWT is bearing the required scopes. For some reason when I call the GET endpoint, I get a response Insufficient Scope.

My API endpoint code looks like this:

// Scope required to get all users
const getUsersScopes = jwtAuthz(['read:users']);

const authConfig = {
    audience: "",
    domain: ""

const checkJwt = jwt({
    secret: jwksRsa.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: `https://${authConfig.domain}/.well-known/jwks.json`,
    audience: authConfig.audience,
    issuer: `https://${authConfig.domain}/`,
    algorithms: ['RS256']

    .get(checkJwt, getUsersScopes, (req: Request, res: Response, next: NextFunction) => {
    }, this.userController.getUsers);

Then I have an Angular app which sends my token to the API, and I can see that the token that is sent to the API contains a permissions property and it’s an array of all the permissions that my user has. It looks like so:

  "iss": "",
  "sub": "...",
  "aud": [
  "iat": ...,
  "exp": ...,
  "azp": "...",
  "scope": "openid profile email",
  "permissions": [

My question is, why does my Node JS API respond with “Insufficient Scope” when my token contains the required scope read:users?

I can call the endpoint perfectly fine when I remove the getUsersScopes from the .get() ednpoint like so:

    .get(checkJwt, (req: Request, res: Response, next: NextFunction) => {
    }, this.userController.getUsers);

Am I missing something obvious? Any advice would be greatly appreciated.

Thanks in advance,

Alright to answer my own question, well part of it, I found out that you can change the scope the permissions are checked against, as seen here:

So I added options to the jwtAuthz like so:

var options = {
    customScopeKey: 'permissions'
const getUsersScopes = jwtAuthz(['read:users'], options);

This made it check for the permissions in the permissions array found in the JWT, instead of the scope field in the JWT token.

I hope this helps other noobs like me out there :yum:

Happy coding!

Glad you were able to figure it out yourself! Really appreciate that you also shared it with the rest of community!