Using Custom API with Permission getting "Unauthorized"

Hello! I created one API and I added 2 Permission, this is the configure:

and I enable to my aplication type machine to machine:

so, each time that I try to update some date I got this:

1. error: "Unauthorized"
2. message: "Bad audience: https://dev-app/api/v1"
3. statusCode: 401

why?? what’s wrong

this’s the endpoint that I’m using:

scope: update:current_user_metadata
endpoint: [PATCH /api/v2/users/{id}]

I was checking the token that I’m sending through endpoint, I checked it with jwt.io and the PAYLOAD:DATA is right

so I check too the grant_types of my application type machine to Machine:

is right too

Hey there @Gerarca!

Judging by the error, the audience param you are using to authorize (and subsequently the audience claim in your access token) is different than the audience of the endpoint you are attempting to use the access token against.

If you are indeed attempting to PATCH users at /api/v2/users then you will need to be sure you are passing a Management API access token in the request. This access token will need to have an audience of https://{yourDomain}/api/v2/

Hello @tyf

I’m working with a SPA, so checking Get Management API Access Tokens for Single-Page Applications I see:

Password changes through the PATCH /api/v2/users/{id} endpoint are not possible with a Management API Token issued for a SPA.

that is so sad :smiling_face_with_tear:

what is the better way to change the password??

1 Like

That is correct, Management API Tokens obtained directly through a SPA are limited in scope by design.

The most common way of going about this is using a backend to serve as proxy for the SPA making calls against the management API:

If you’re interested, here is an example of what this might look like in a Node backend - This extends our standard auth0-react sample app.

1 Like

Thanks @tyf

Worked it for me!

1 Like

No problem, happy to help! Glad you were able to get it working :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.