Resource Owner Password Flow for testing


I have a backend server that authenticates requests using jwt tokens included in the request.

I want to do some tests for the endpoints to simulate a new user doing actions using Postman, so I need to get a jwt token.

I saw that there is an auth0 authentication flow that lets you log in with a username and password, however there are warnings against it in the documentation.

Are the warnings only because users should not be giving an application their auth0 password or because there are some inherent flaws in keeping this authentication flow open in a production application?

Since I would be using a demo user and only running this from Postman, the password getting lost isn’t a problem.


Hey @trilobyte, Welcome to Auth0 Community!

Yes the warning is because the client(application) is holding a very sensitive data(user credentials) , So it should be a Highly trusted client. The recommended application should be able to maintain the confidentiality of the credentials.

Let me know if this helps!

Thanks for the quick reply @sidharth.chaudhary!

One last question, are we opening up our auth0 to brute force attacks by using this authentication flow method?

Hey @trilobyte,

Brute force protection can be enabled for ROPG flow as well , check this link:

You need to forward the IP address using the auth0-forwarded-for header: