Resource Owner Password flow only works with headers removed

Following up on this old thread here

I, too, needed to remove the header attribute (using the node.js with axios call format) that is referenced in several Auth0 docs that explain the Resource Owner Password flow - like here, or here.

problem header:

"content-type": "application/x-www-form-urlencoded"

Can anyone shine a light on why this header fails the call? I only ever receive a 401 HTTP error and a CORS warning:

Access to XMLHttpRequest at 'https://my_auth_api/oauth/token' from origin 'http://localhost:1234' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Seems like there needs to be an update to the documentation unless I’m really off the mark.

Any insight would be helpful - Thanks!

Hi @peter22,

Welcome to the Auth0 Community!

I understand that you encountered issues when making a Resource Owner Password Grant (ROPG) flow request.

I have seen this issue in the past, and it involves fixing the content-type in the request to application/json.

See below:

var axios = require("axios").default;

var options = {
  method: 'POST',
  url: '',
  headers: {'content-type': 'application/json'},
  data: {    
    grant_type: "password",
    username: "",
    password: "pwd",
    scope:  'read:sample',
    client_id: "YOUR_CLIENT_ID",
    client_secret: "YOUR_CLIENT_SECRET"


axios.request(options).then(function (response) {
}).catch(function (error) {

Let me explain further. When using the "application/x-www-form-urlencoded" content-type as shown in our documentation, the data gets passed as URL encoded. Meaning that the data is appended to the URL, like below:


Whereas the "application/json" content type is used for POSTing JSON data.

Hoped this helps!

Please let me know if you have any additional questions.

Thank you.

1 Like