Overview
When getting a Management API token from the API Explorer tab under Management API in Applications > APIs , it is expected all scopes are contained by default. However, when calling a specific endpoint, a user may get the error:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope, expected any of: example:scope",
"errorCode": "insufficient_scope"
}
Applies To
- Management API Token
- Grants
- Insufficient Scope
Cause
It is possible some scopes were deleted or modified at some point under client grants.
Alternatively, some older tenants may have API Explorer applications that were created prior to the introduction of new scopes for the Management API, and need their permissions updated.
Solution
Using the Tenant Dashboard:
The API Explorer application’s authorized permissions can be updated in the dashboard by going to Applications > API Explorer Application
Open the APIs tab, expand the dropdown for Auth0 Management API, and check the missing permissions required for the endpoints. See the screenshot below for an example of adding read:refresh_tokens to the API Explorer Application’s authorized permissions:
After checking the required permission(s) and selecting Update, fetching a new token should allow the request to succeed now it contains the correct scopes.
Using the Management API
Alternatively, the authorized permissions which are stored under the relevant client grant for the API Explorer + Auth0 Management API pair can be updated via the Management API:
- Use the Get Client Grants (GET /api/v2/client-grants) endpoint to verify whether the API Explorer Application is missing the required Auth0 Management API grant, or find the required grant_id needing updates and its currently authorized scopes.
- Use the Update Client Credentials (PATCH /api/v2/client-grants/{id}) endpoint to manually add back the missing scopes, ensuring to include all the other scopes from the initial GET endpoint response.