Auth0 Home Blog Docs

Right way to call userinfo


  • I have created an API with RS256 signing algorithm and http://localhost:3000/api/v1 as the Identifier (audience) and I added openid, phone, profile as the scopes to the created API

  • Then created an application to invoke the above API, with RS256 signing and turned off OIDC Conformant since I’m using a customized login page.

  • I was able to invoke the following authorize request successfully :

  • After getting the code I was able to execute the token call and received the access_token

    curl --request POST
    –header ‘content-type: application/json’
    –data ‘{“client_id”:“CLIENT_ID”,“client_secret”:“CLIENT_SECRET”,“audience”:“localhost:3000/api/v1”,“grant_type”:“client_credentials”,“code”: “CODE”}’

  • But after decoding the JWT token I couldn’t see the userinfo endpoint in audience field

  • So I’m getting unauthorized error in executing the following userinfo call, but I was able to call my other API (secured resources) using the given access token without any issue.

    curl --request GET
    –url ‘
    –header ‘authorization: Bearer {ACCESS_TOKEN}’
    –header ‘content-type: application/json’


-Then I tried to invoke the token endpoint using userinfo url as the audience value:

curl --request POST \
--url \
--header 'content-type: application/json' \
--data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"","grant_type":"client_credentials","code": "CODE"}'

Then I’m getting the following error:

{"error":"access_denied","error_description":"Client is not authorized to access \"\". You might probably want to create a \"client-grant\" associated to this API. See:!/Client_Grants/post_client_grants"}
  • When I tried to add userinfo url as an additional Identifier (audience) when creating an API, I’m getting an error saying ‘provided identifier is reserved’
  • Please let me know what I’m doing wrong here. Looking forward to your reply.


After you obtained the authorization code following your request to /authorize you’re not actually using it because you’re performing a client credentials grant (this part "grant_type":"client_credentials" of the request).

Check the reference documentation on how to implement the authorization code exchange.