Password reset email doesn't work

I’ve had password reset emails working in the dev tenant until recently. Now it’s not working with the following flow.

  1. A user is added through the management API and a request is made to reset their password using AuthenticationApiClient.ChangePasswordAsync()
  2. The call to the API returns “We’ve just sent you an email to reset your password.” (see below log 1)
  3. The email never arrives and when looking. Inspecting the tenant log shows “Failed Sending Notification” (see below log 2)

I’m using SengGrid as my email provider and can confirm that the reset password email is never issued by Auth0. I’ve verified that the tenant ID and the client ID of the backend application are correct (haven’t changed). The code to make a request hasn’t changed either

var authenticationApiClient = new Auth0.AuthenticationApi.AuthenticationApiClient(configuration["Auth0:Management:Auth0Domain"]);
var res = await authenticationApiClient.ChangePasswordAsync(new ChangePasswordRequest
	ClientId = configuration["Auth0:Management:ClientId"],
	Email = candidate.Email,
	Connection = "Username-Password-Authentication"

At this point, I’m not sure how to troubleshoot this issue given that the code and configuration haven’t changed. The backend application is authorized to access the Auth0 Management API:

Log 1 - user-specific log

  "date": "2022-04-11T05:32:14.182Z",
  "type": "scpr",
  "description": "We've just sent you an email to reset your password.",
  "connection": "Username-Password-Authentication",
  "connection_id": "***reducted***",
  "client_id": "***reducted***",
  "client_name": "Tva.Server (Dev)",
  "ip": "***reducted***",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "details": {
    "body": {
      "tenant": "***reducted***",
      "client_id": "***reducted***",
      "connection": "Username-Password-Authentication",
      "email": "***reducted***",
      "verify": true,
      "debug": false
  "user_id": "auth0|***reducted***",
  "user_name": "***reducted***",
  "strategy": "auth0",
  "strategy_type": "database",
  "log_id": "90020220411053215097263097847166670863543661769904881682",
  "_id": "90020220411053215097263097847166670863543661769904881682",
  "isMobile": false

Log 2 - tenant log

  "date": "2022-04-11T05:32:14.305Z",
  "type": "fn",
  "description": "***reducted***",
  "connection": "Username-Password-Authentication",
  "connection_id": "",
  "client_id": "***reducted***",
  "details": {
    "email_type": "reset_email",
    "to": "***reducted***",
    "error": "The provided authorization grant is invalid, expired, or revoked"
  "log_id": "90020220411053219380263097850862357094105583500579045394",
  "_id": "90020220411053219380263097850862357094105583500579045394",
  "isMobile": false,
  "user_agent": "Other 0.0.0 / Other 0.0.0"

@dan.woda does this ring a bell?

Before posting this question, I saw a similar question but disregarded it due to the fact that my API key with SendGrid was not changed or modified. I tried sending a test email and sure thing, it failed with the same error message as the one in log #2. Out of curiosity, I’ve decided to follow the instructions in the post mentioned earlier and set the API key again to the very same value it was always set to. And, surprise, surprise, it worked.

The only change that has taken place recently was me scripting the tenant with Auth0 Deploy CLI tool. So the question is, how did the API key for SendGrid got changed if I did not touch it? Is there a way to track it down?

Also, that error message could have been improved.

1 Like

Thanks for sharing this with the rest of community as well as sharing all that context. I’ll make sure to relay that to appropriate team!