Unable to PATCH user with app_metadata

I’m trying to PATCH https://$app.auth0.com/api/v2/users/$user_id but I’m getting the following error:

{"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Additional properties not allowed: {\"app_metadata\": { \"external_user_id\": \"245c7631-8f95-4955-bc63-d6bd3c0e28db\"}} (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in https://auth0.com/docs/api/v2/changes for more details)'.","errorCode":"invalid_body"}

The docs indicate that app_metadata can be updated at the root level with this API: Auth0 Management API v2

What am I doing wrong?

I’m using curl with -d '{"app_metadata": { "external_user_id": "245c7631-8f95-4955-bc63-d6bd3c0e28db"}}'

Just tried with the literal example from the docs and I’m getting the same error:

-d '{ "user_metadata" : { "addresses": {"work_address": "100 Industrial Way"} }}'
HTTP/2 400
date: Mon, 25 Jun 2018 18:51:12 GMT
content-type: application/json; charset=utf-8
content-length: 367
vary: origin,accept-encoding
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0

{"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Additional properties not allowed: { \"user_metadata\" : { \"addresses\": {\"work_address\": \"100 Industrial Way\"} }} (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in https://auth0.com/docs/api/v2/changes for more details)'.","errorCode":"invalid_body"}

Can you include your full curl command line, with just your token redacted? And maybe the user ID redacted too.

In theory what you are doing looks fine, but I’m wondering if there is something else weird going on…

You may have an issue because your token does not have the right scope. How are you generating your token? Make sure your token has the update:users and update:users_app_metadata scopes. Or if you are using a user based access token from an /authorize request, then you can’t update app_metadata and to update the user metadata you need update:current_user_metadata scope.

Carlos, thanks for the reply. Sorry, I should have showed the token scopes and auth method.

Honestly, I’d be pretty pissed if that error came out if my token scopes were wrong as there would be no way to determine that was the problem from the error

This is a 400 which should indicate that the request body is wrong rather than a 403 indicating that I don’t have permissions to modify the resource.

Here’s how I’m initiating the request:

[~]$ curl -iL -X POST https://xxxxx.auth0.com/oauth/token -H 'Content-type: application/json' -d '{"grant_type": "client_credentials", "client_id":"xxxxx", "client_secret":"xxxxx", "audience": "https://xxxxx.auth0.com/api/v2/"}'
HTTP/2 200
date: Tue, 26 Jun 2018 21:26:16 GMT
content-type: application/json
content-length: 978
x-auth0-requestid: fd11d6c27dddd1c63d4d
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
x-ratelimit-reset: 1530048377
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
strict-transport-security: max-age=15724800
x-robots-tag: noindex, nofollow, nosnippet, noarchive

{"access_token":"XXXXXXXXXXJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5EZEROalZHTWtOQ05rTTRPRE0zTmtReVF6VkVRVVExUWpjNFJUTkZNa1pGUWprd1FqUTJNdyJ9.eyJpc3MiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tLyIsInN1YiI6Ik9SSUVDNUtlOXNrdnNoUlhpaFNaN0o4U3NaYWJpQ2FkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tL2FwaS92Mi8iLCJpYXQiOjE1MzAwNDgzNzYsImV4cCI6MTUzMDEzNDc3NiwiYXpwIjoiT1JJRUM1S2U5c2t2c2hSWGloU1o3SjhTc1phYmlDYWQiLCJzY29wZSI6InJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIHVwZGF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.WYCY30F4fshj_4ufFzvsa9MzkUl19sulVD9eScl4QFyo2KF6v4gRZ1jUP8Z_5CzQQga_QAJYKBjy2d7M8s6NTLOfpoB0txLql2J7hOoocC0abVr521L3keoy3QPXm81AKIgEKc12tUn3UdD00u-er43L_87S8miy6e-ElrQrxXyD0wKaZh_CKvCCJziwAvqzvYmrfHElmQYchOoYLkrU1U7HbKqyJZ1WX0T8UMseL3okjkk-peBO0PYok88cLW84jqQjM50Jr9y5iU6WswP2OK9Z3qUfGo1j_sovRiErDjo972JUS6SM3qD8m1mTuNVnROzmhXuIo_DcXXXXXXXXXX","scope":"read:users update:users update:users_app_metadata","expires_in":86400,"token_type":"Bearer"}
[~]$ curl -iL -X PATCH 'https://xxxxx.auth0.com/api/v2/users/auth0|XXXXXca552e65360e5eXXXXX' -H 'Authorization: Bearer XXXXXXXXXXJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5EZEROalZHTWtOQ05rTTRPRE0zTmtReVF6VkVRVVExUWpjNFJUTkZNa1pGUWprd1FqUTJNdyJ9.eyJpc3MiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tLyIsInN1YiI6Ik9SSUVDNUtlOXNrdnNoUlhpaFNaN0o4U3NaYWJpQ2FkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tL2FwaS92Mi8iLCJpYXQiOjE1MzAwNDgzNzYsImV4cCI6MTUzMDEzNDc3NiwiYXpwIjoiT1JJRUM1S2U5c2t2c2hSWGloU1o3SjhTc1phYmlDYWQiLCJzY29wZSI6InJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIHVwZGF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.WYCY30F4fshj_4ufFzvsa9MzkUl19sulVD9eScl4QFyo2KF6v4gRZ1jUP8Z_5CzQQga_QAJYKBjy2d7M8s6NTLOfpoB0txLql2J7hOoocC0abVr521L3keoy3QPXm81AKIgEKc12tUn3UdD00u-er43L_87S8miy6e-ElrQrxXyD0wKaZh_CKvCCJziwAvqzvYmrfHElmQYchOoYLkrU1U7HbKqyJZ1WX0T8UMseL3okjkk-peBO0PYok88cLW84jqQjM50Jr9y5iU6WswP2OK9Z3qUfGo1j_sovRiErDjo972JUS6SM3qD8m1mTuNVnROzmhXuIo_DcXXXXXXXXXX' -d '{"app_metadata": { "external_user_id": "245c7631-8f95-4955-bc63-d6bd3c0e28db"}}'
HTTP/2 400
date: Tue, 26 Jun 2018 21:26:36 GMT
content-type: application/json; charset=utf-8
content-length: 370
vary: origin,accept-encoding
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0

{"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Additional properties not allowed: {\"app_metadata\": { \"external_user_id\": \"245c7631-8f95-4955-bc63-d6bd3c0e28db\"}} (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in https://auth0.com/docs/api/v2/changes for more details)'.","errorCode":"invalid_body"}
``

You are missing your content-type header. Try adding -H "content-type: application/json" to your curl request

Also, I highly recommend using our Management API explorer to test things out and get example curl commands :). Auth0 Management API v2

Thanks, I was using it but it wasn’t obvious how to authenticate so it only gave me a partial curl command.

Does your API require application/json? There’s no documentation on what headers are required to communicate with the API other than in the Authentication section.

I’d recommend noting in the Introduction section that you have to send Content-type: application/json with every request. Also, I’d recommend either sending back a 400 level error when no Content-type: application/json header is sent over or assuming it’s JSON if nothing is sent. If you only accept JSON, why even require the header?

For clarity, I really do appreciate the help. I’m just trying to figure out ways that you can avoid having to handle topics like this in the future.

Dave, those are great suggestions, I’ll forward them on to the docs and engineering teams.

Thanks Carlos. Appreciate the help tracking this down!