Minimum scopes for the Auth0 Management API

I’ve created an application in Auth0. It’s been granted the read:users permission only. I’m using the application’s client id/client secret in a client_credentials exchange to call /oauth/token to get a token (requesting scopes openid profile email) and intend on calling /api/v2/users/xxx with that token to get user information.

However, when I go to request the token it is failing with Client has not been granted scopes: openid, profile, email. These scopes are not listed for the Auth0 Management API, at least in the web interface. I also don’t see anything in the API documentation about those scopes as well.

Is there something fundamentally wrong with what I’m doing? Or do one of the read: permissions grant me what I need.

I guess I was just doing it wrong after all. When calling /oauth/token I was including a scopes field in the request, but you can omit it in the request and it’ll just return whatever scopes are granted to the client in the JWT it returns. Much less fuss.

Hi @dgilman,

Welcome to the Auth0 Community!

Thanks for following up! The opened, profile, and email scopes are for user-centric transactions. Because you are performing a M2M machine operation, you only need to include the scopes for that transaction. In your case, it sounds like you just need to read user info, and that would require the read:users scope.