Management API throwing Unauthorized: Invalid Token error when attempting to create Password Change Ticket

Problem described in title. Here is my code:

var request = require("request");

var options = { 
  method: 'POST',
  url: `https://${MGMT_DOMAIN}/api/v2/tickets/password-change`,
  headers: { 'Content-Type': 'application/json', "Authorization": `Bearer ${access_token}` },
  body: `{"connection_id": "${connection_id}", "email": "${email}"}` 
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

I’ve double checked all of the variables (MGMT_DOMAIN, access_token, connection_id). I don’t know what I’m doing wrong. I’ve also tried using the nodejs ManagementClient api instead, with the same error:

const management = new ManagementClient({
    domain: MGMT_DOMAIN,
    token: access_token
});

management.createPasswordChangeTicket({
  email,
  connection_id
})
  .then(console.log)
  .catch(console.error)

I’ve also tried without directly specifying the token, using:

const management = new ManagementClient({
    domain: MGMT_DOMAIN,
    clientId: MGMT_ID,
    clientSecret: MGMT_SECRET
});

with the same error. The API I am using is the default Auth0 Management API, so I am not sure what I’m doing wrong. I know I haven’t messed up the secrets/ids because I can call management.getAccessToken() just fine.

Edit: I managed to get it to work with the access token, but I need it to work with just providing the clientId and clientSecret and domain, so that I can use it with Auth0 Actions

Hey @slcredentialmanager you could try setting an access token and testing the Management API endpoint here. Do you get the same error? Does your M2M application have create:user_tickets permissions?

1 Like

I just updated the question description. I think the access token I was using was incorrect. I’ve fixed it now. However, the ideal goal would be to get things working with the ManagementClient object using just the client_id and client_secret and domain parameters. That way, I can provide those in the secrets of an Auth0 Action, whereas the token is so long that I can’t store it as a secret

Also, the token is only valid for 24 hours anyway, so I can’t just use it directly

Glad you got the access_token error figured out @slcredentialmanager!

There is an Auth0 FAQ post here that shows how to generate access tokens using the clientId, clientSecret, and domain in an Auth0 Action, and how to cache it for future requests.

Hope this helps :crossed_fingers:

1 Like

Thanks. Unfortunately, I can’t seem to generate a valid token using the clientId, clientSecret and domain. I tried this:

const axios = require('axios').default;

const client_id = ...
const client_secret = ...
const MGMT_DOMAIN = ...

axios({
  method: 'POST',
  url: `https://${MGMT_DOMAIN}/oauth/token`,
  headers: { 'Content-Type': 'application/json' },
  data: {
    client_id: client_id,
    client_secret: client_secret,
    audience: `https://${MGMT_DOMAIN}/api/v2/`,
    grant_type: "client_credentials"
  }
})
  .then(res => {
    const token = res.data['access_token'];
    return axios({
      method: 'POST',
      url: `https://${MGMT_DOMAIN}/api/v2/tickets/password-change`,
      headers: { 'Content-Type': 'application/json', "Authorization": `Bearer ${token}`},
      data: { connection_id, email }
    })
  })
  .catch(console.error);

which basically gets an access token and then attempts to use it create a password change ticket. But I am still getting the same error, which is Unauthorized: Invalid Token

Edit: I also tried testing it out in here, but it gave me the same error. Somehow, I am generating the token incorrectly

Ugh, it was a permissions issue. For some reason, the Auth0 Management API (Test Application) didn’t have all grants. I assigned all the grants to it, and it successfully makes the ticket.

However, no reset password email gets sent! No idea why.

Edit: Oops, I was supposed to use this api call instead

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.