Secret must be a string or buffer


Ok everything has been working fine for me for the last year or so but a few weeks ago when trying to authenticate I started getting the following error back from Auth0.

`err = {error: “server_error”, errorDescription: “secret must be a string or buffer”, state: “oRteTe0d_uX8MlaHxxijJdNQkC0ctM4v”}, authResult = undefined

public auth0 = new auth0.WebAuth({
audience: “i",
domain: "”,
clientID: “s1NdHsyp1*****FyaKh”,
responseType: “token id_token”,
scope: “openid profile”,

Now if I remove the audience from my AuthOptions then I can authenticate and I don’t get the error, but I don’t have the appropriate access token for calling my API.

I have disabled all my custom rules to make sure it is not one of them that is causing the issue but that has not fixed the issue.

To reiterate this HAS been working for me and recently stopped working without any changes to my set up as far as I’m aware. Please help I’ve been tearing my hair out for ages on this one.

Based on the error message and the fact that the trigger is including the audience (which I assume is a custom API you created in the dashboard) you should review that API configuration. In particular, if that API is set to use HS256 for signing the tokens make sure that a signing secret has been correctly provided.

A definitive way to check that is to use the Management API to get the raw JSON information for that API and check the signing_secret property (Auth0 Management API v2).

1 Like

I think you are onto it. I am using HS256 and when I copy the signing secret to the clipboard it is empty. Is there a way to change the signing secret I can’t see a way as it is greyed out?

Ok I figured out what’s going on.

The signing secret is empty. And I know how what happened.

I’m actually programmatically using the patch resource servers management API to programmatically add scopes to my API

Auth0 Management API v2)

I am using the .net SDK. It appears that after apply a patch with a new collection of scopes after that my signing secret is empty.

I have managed to recreate this problem by creating a new API.

Thanks for sharing that knowledge with everyone @sjclark76!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.