Auth0 Home Blog Docs

[SPA] "Bad HTTP authentication header format" error while trying to use the Management API

Hi, I’m trying to use the Management API from a SPA application

I’m using the Lock to authorize, this is my config to initialize it:

  "autoclose": true,
  "auth": {
    "sso": false,
    "redirect": false,
    "responseType": "token id_token"

I obtain the Access Token like this:

lock.on('authenticated', (result) => {
  // using result.accessToken obtained here

This is how I initialize the Management instance:

const auth0Manage = new auth0.Management({
  token, // same access token obtained above
  domain, //

After that I get the logged user ID (sub) and then I try to consume any Management API like this:

auth0Manage.getUser(user.sub, (err, res) => {
  if (err) console.log({ err })
  else console.log({ res })

But I end up getting this response:

  "statusCode": 400,
  "error": "Bad Request",
  "message": "Bad HTTP authentication header format",
  "errorCode": "Bearer"

I’ve tried adding the read:users scope, adding an audience and pretty much everything I found on the forums regarding similar issues but no solution works for me (I assume I’m trying to do that where I’m not supposed to?).

Can anyone help me out with this? My ideal would be to be able to update the user_metadata using this approach, but this error is blocking me from doing anything.

Thanks in advance,

Could anyone give me a hand with this?