Not Possible to Remove the Scopes in the Token for Machine-to-Machine Applications Inside an Credentials-Exchange Action

Overview

An error occurs when using the method api.accessToken.addScope() or api.accessToken.removeScope() in the Actions Editor.

Property ‘addScope’ does not exist on type ‘AccessTokenAPI’

This error is observed in the context of the Machine-to-machine flow.

While these methods exist in other flows (e.g., Login Flow, as shown in the screenshot below), in this, it is throwing an error in the IDE.

Applies To

  • Node 18 runtime.
  • Machine-to-Machine Flow

Cause

This is a current limitation of Auth0.
The scopes cannot be removed from M2M tokens and all granted scopes will be returned for the M2M application. This is explained in the link to our Community Article below.

Solution

This is a current limitation of Auth0. The scopes need to kept in the token.