Overview
After adding new permissions (scopes) to the Auth0 Management API, the Access Token generated via the API Explorer tab (or any other machine-to-machine application) does not include these new scopes.
- This leads to
403 Forbiddenerrors when trying to use an endpoint that requires one of the newly added permissions. - For example, after adding the
update:rolesandcreate:role_memberspermissions to the API, an attempt to assign a user to a role fails with a 403 error because the token lacks the required scopes.
Applies To
- Auth0 Management API
- API Permissions
Cause
When new permissions are added to an API’s settings, they are not automatically granted to the applications that are already authorized to use that API.
- Each application, including the Auth0 Management API Explorer application, must be explicitly granted authorization to use the new permissions.
- The application’s list of authorized scopes must be manually updated after the API’s available scopes have been changed.
Solution
To resolve this, update the permissions granted to the specific application that is requesting the token.
- Navigate to Applications > Applications in your Auth0 Dashboard.
- Find and select the application. If the test token from the API Explorer is used, this will be the Auth0 Management API Explorer application.
- Click on the APIs tab.
- Auth0 Management API is listed with the “Authorized” checkbox checked.
- Click the expand icon (▾) to see the full list of permissions for that API.
- Search for the new permissions you recently added (e.g.,
update:roles,create:role_members) and select the checkbox next to each one. - Click the Update button at the bottom to save the changes. (See image below for reference)
After completing these steps, generate a new Access Token. It will now contain the newly authorized scopes, and the API calls will succeed.
