I’m building a first-party account management page for users. The app uses Auth0 for authentication, and I would like users to manage and add passkeys from this account page.
Based on the Auth0 My Account API documentation, it looks like I need these scopes on the My Account API resource server:
When my application requests the My Account API audience, Auth0 returns an error saying that the client is not authorized to access the My Account API resource server.
My use case is:
Show existing passkeys
Let users add a new passkey
Let users rename/delete passkeys
Do this from our own account management page, not only during hosted login
Questions:
Are the *:me:authentication_methods scopes still Limited Early Access / tenant-gated?
If yes, how can we request access for a tenant?
Is there any currently supported alternative for self-service passkey enrollment from a custom account management page?
Can this be solved by creating a custom Auth0 API/resource server, or must it be enabled specifically on the Auth0 My Account API?
The reason you cannot see these scopes in your dashboard is that the Authentication Methods endpoints within the My Account API are currently in Early Access (as you have correctly inquired about in your post) and are tenant-gated.
If you only see the connected_accounts scopes under the My Account API in your Auth0 Dashboard, the Authentication Methods (Passkeys) feature has not been toggled on for your specific tenant.
To get these scopes enabled, you must contact your Auth0 Account Manager or open a ticket with Auth0 Support. Specifically, request to be enrolled in the Early Access program for “Authentication Methods via the My Account API” so you can manage passkeys from a first-party application. If your tenant is not under an Enterprise or B2B Pro subscription, you will not be able to requests these to be enabled unfortunately.
Without the My Account API, there is no direct, fully-custom API alternative for enrolling passkeys. WebAuthn enrollment requires Auth0 to generate a secure challenge, pass it to your frontend, and verify the cryptographic signature from the user’s device.
The standard GA approach is to use Auth0 Universal Login’s Progressive Enrollment . When enabled, Auth0 will automatically prompt users to create a passkey during their standard login flow. Alternatively, you can build custom workflows using Auth0 Forms, but underneath the hood, the forms engine still relies on the My Account API to handle the actual WebAuthn registration.
For Deleting/Viewing Passkeys: Yes, you could build a workaround. You could create your own backend Custom API, have your frontend call it, and your backend could use a Machine-to-Machine (M2M) token to call the Auth0 Management API (GET /api/v2/users/{id}/authentication-methods and DELETE ). For Creating/Enrolling Passkeys:No . You cannot easily proxy WebAuthn registration challenges through a custom backend API. It must be handled by the My Account API, which exposes the specific POST /me/v1/authentication-methods and /verify endpoints engineered to handle the browser’s WebAuthn API handshakes.