Auth0 Home Blog Docs

Management API returns 403 when attempting to read users

I am attepting to show a list of users in the react app.
When attempting to access the manage api with api/v2/users/ i get:

{"statusCode":403,"error":"Forbidden","message":"Insufficient scope, expected any of: read:users,read:user_idp_tokens","errorCode":"insufficient_scope"}

But when I get the token for the api, I pass in the scope like so:
getTokenWithPopup({ scope: ‘read:users’ })

It doesn’t seem to care about the scope ? it doesn’t seem to pop up at all with the confirmation dialogue. Am I setting the scope for the management api in the wrong place?

Most operations available in the Management API are meant to only be called from back-end application because most of the endpoints allow for operation that you would not want a regular end-user to perform.

Due to the above, the approach to get an access token for the Management API and include those scopes is to perform a client credentials grant (https://auth0.com/docs/api/management/v2/get-access-tokens-for-production).

The client credentials grant is available only for confidential clients as those are able to maintain a secret and authenticate themselves in the token endpoint.

In conclusion, a React application (browser-based application so it’s considered a public client application) cannot perform a client credentials grant and as such won’t also be able to obtain a token with a scope such as read:users.

If you want to provide access to some of the features exposed by Management API to a subset of your end-users then you’ll need to have your own backend in the middle so the React application calls your backed which authorizes the call in order to guarantee it comes from an authorized user and then the backend call Management API.

Thanks @jmangelo
This was the issue.

As mentioned, I’ve created another API in the middle (between react and Auth0), which has it’s own M2M auth token. It works well!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.