{"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Additional properties not allowed: {\"app_metadata\": { \"external_user_id\": \"245c7631-8f95-4955-bc63-d6bd3c0e28db\"}} (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in https://auth0.com/docs/api/v2/changes for more details)'.","errorCode":"invalid_body"}
The docs indicate that app_metadata can be updated at the root level with this API: Auth0 Management API v2
What am I doing wrong?
I’m using curl with -d '{"app_metadata": { "external_user_id": "245c7631-8f95-4955-bc63-d6bd3c0e28db"}}'
Can you include your full curl command line, with just your token redacted? And maybe the user ID redacted too.
In theory what you are doing looks fine, but I’m wondering if there is something else weird going on…
You may have an issue because your token does not have the right scope. How are you generating your token? Make sure your token has the update:users and update:users_app_metadata scopes. Or if you are using a user based access token from an /authorize request, then you can’t update app_metadata and to update the user metadata you need update:current_user_metadata scope.
Carlos, thanks for the reply. Sorry, I should have showed the token scopes and auth method.
Honestly, I’d be pretty pissed if that error came out if my token scopes were wrong as there would be no way to determine that was the problem from the error
This is a 400 which should indicate that the request body is wrong rather than a 403 indicating that I don’t have permissions to modify the resource.
Thanks, I was using it but it wasn’t obvious how to authenticate so it only gave me a partial curl command.
Does your API require application/json? There’s no documentation on what headers are required to communicate with the API other than in the Authentication section.
I’d recommend noting in the Introduction section that you have to send Content-type: application/json with every request. Also, I’d recommend either sending back a 400 level error when no Content-type: application/json header is sent over or assuming it’s JSON if nothing is sent. If you only accept JSON, why even require the header?