Resource Owner Password Flow not working when using node/JS while cURL works

We have an app live (, that knows about a username and password.
The goal is to login as a user with JavaScript.

We were following the docs here resource-owner-password-flow
and here call-your-api-using-resource-owner-password-flow

By posting to the endpoint
with the payload like the one from here migration-oauthro-oauthtoken

    "grant_type": "",
    "client_id": "1234567890",
    "client_secret": "1234567890",
    "username": "alice",
    "password": "123456",
    "realm": "Username-Password-Authentication",
    "scope": "openid profile email offline_access",
    "audience": ""

We used the application settings (domain, client_id, client_secret) from the app.
We also made sure to configure Callback URL and Password grant type here:
Application URIs → Allowed Callback URLs
Advanced settings → Grant Types

Also we were using the default Realm here:
Neither the default Database Connection Username-Password-Authentication provided by auth0
nor it’s Identifier con_1234567890 lead to anything but a 401 response.

Neither nor password as grant_type lead to anything but a 401 response.

The user’s email is verified and it’s Primary Identity Provider is the very Username-Password-Authentication Database.
Of course it’s name and password are correct. The OAuth2/OIDC Flow works without problems.

Testing with the Authentication API Debugger Extension from here:
also lead to 401 response only

  "err": {
    "readyState": 4,
    "responseText": "{\"error\":\"access_denied\",\"error_description\":\"Unauthorized\"}",
    "responseJSON": {
      "error": "access_denied",
      "error_description": "Unauthorized"
    "status": 401,
    "statusText": "error"

Could you provide assistance with this?

Thanks for your support

Hi @skew202

What is the entry in the tenant logs? Does it give more information?


1 Like

Hi @john.gateley ,
thank you for assisting with this one here!


  "date": "2021-04-14T09:26:41.082Z",
  "type": "fepft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "1234567890",
  "client_name": null,
  "ip": "12.345.678.90",
  "client_ip": "12.345.678.90",
  "user_agent": "1234567890",
  "hostname": "",
  "user_id": "",
  "user_name": "",
  "audience": null,
  "scope": "openid name email nickname",
  "log_id": "1234567890",
  "_id": "1234567890",
  "isMobile": false

To my surprise, the cURL returns the access_token just fine, while the js request errors with unathorized access.

curl --request POST \
  --url \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data username=USERNAME \
  --data password=PASSWORD \
  --data audience=AUDIENCE \
  --data scope='openid profile email' \
  --data client_id=CLIENT_ID \
  --data client_secret=CLIENT_SECRET
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: '',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
    'mode': 'no-cors'
  data: {
    grant_type: 'password',
    username: 'USERNAME',
    password: 'PASSWORD',
    audience: 'AUDIENCE',
    scope: 'openid profile email',
    client_id: 'CLIENT_ID',
    client_secret: 'CLIENT_SECRET'

axios.request(options).then(function (response) {
}).catch(function (error) {

Hi @skew202

I don’t see anything obvious. The next step is to sniff the packets for the curl command and the javascript and see what is different.