Searching the User with the Management API Returns the IdP Token

Problem statement

Searching the user with the Management API returns a token from the external Identity of the user. This article explains how to prevent the token from being returned in the Response.

  • Code
u = auth0.users_by_email.search_users_by_email(email=<email>)
  • Response
[{'created_at': '2022-10-06T17:06:52.287Z', ……, provider': 'waad', 'access_token': <token>', 'expires_in': 3842, 'last_login': '2023-11-23T06:55:08.033Z', 'logins_count': 136}]


The tokens for external IdPs are stored in the user profile. If the M2M client used for the Management API has the read:user_idp_tokens scope, the search user by email API will return this token in the response.

Removing this scope from the M2M app from APIs > Auth0 Management API > Permissions view on the application settings will help to avoid getting the identities array in the user profile, including this token.