Auth0 Home Blog Docs

Issue with delegation for a new client application



Recently we have created a new client, we copied all the old configuration, which used delegation to use LAYER API, and it worked fine. After the creation of the new client we noticed that delegation was deprecated for new clients. What should we do now to keep on using Layer, as its not working anymore and this is huge problem for us. Our configuration is actually like this:

client.on('challenge', (evt) => {
      var getIdentityToken = (nonce, callback) => {
        var data = {
          "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
          "target": CONFIG.auth.clientID,
          "id_token": Auth.token(),
          "api_type": "layer",
          "scope": "openid",
          "client_id": CONFIG.auth.clientID,
          "nonce": nonce
          .post(`https://${CONFIG.auth.domain}/delegation`, data)
          .then((response) => callback(;

      getIdentityToken(evt.nonce, (identityToken) => {

We are getting a 403 calling POST We need an answer ASAP as the production instance is depending on this.


If you haven’t done so already you should read the reference documentation associated with this change in order to have more context - Client Grant Types.

As a quick summary, if you created a new client application in an account that was already active at the time of the change (see the reference docs for exact dates) then although the legacy grant type for delegation not being included by default, you can still update the client application through the Management API to include the required grant type.