Using Custom API with Permission getting "Unauthorized"

Gerarca · January 24, 2024, 3:15pm

Hello! I created one API and I added 2 Permission, this is the configure:

and I enable to my aplication type machine to machine:

so, each time that I try to update some date I got this:

1. error: "Unauthorized"
2. message: "Bad audience: https://dev-app/api/v1"
3. statusCode: 401

why?? what’s wrong

this’s the endpoint that I’m using:

scope: update:current_user_metadata
endpoint: [PATCH /api/v2/users/{id}]

I was checking the token that I’m sending through endpoint, I checked it with jwt.io and the PAYLOAD:DATA is right

so I check too the grant_types of my application type machine to Machine:

is right too

ty.frith · January 24, 2024, 4:15pm

Hey there @Gerarca!

Judging by the error, the audience param you are using to authorize (and subsequently the audience claim in your access token) is different than the audience of the endpoint you are attempting to use the access token against.

If you are indeed attempting to PATCH users at /api/v2/users then you will need to be sure you are passing a Management API access token in the request. This access token will need to have an audience of https://{yourDomain}/api/v2/

https://community.auth0.com/t/what-is-the-audience/71414

Gerarca · January 24, 2024, 6:17pm

Hello @ty.frith

I’m working with a SPA, so checking Get Management API Access Tokens for Single-Page Applications I see:

Password changes through the PATCH /api/v2/users/{id} endpoint are not possible with a Management API Token issued for a SPA.

that is so sad

what is the better way to change the password??

ty.frith · January 24, 2024, 11:08pm

That is correct, Management API Tokens obtained directly through a SPA are limited in scope by design.

The most common way of going about this is using a backend to serve as proxy for the SPA making calls against the management API:

https://community.auth0.com/t/how-can-i-enable-users-to-change-their-email-address-from-a-spa-or-native-app/44064

If you’re interested, here is an example of what this might look like in a Node backend - This extends our standard auth0-react sample app.

Gerarca · January 26, 2024, 1:16pm

Thanks @ty.frith

Worked it for me!

ty.frith · January 26, 2024, 4:29pm

No problem, happy to help! Glad you were able to get it working

system · February 9, 2024, 4:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unauthorized, Bad audience for management api Get Help management-api , auth0js	10	21700	September 9, 2019
401 "Bad audience:' when trying to access Management API Get Help management-api	19	20474	October 5, 2022
Create a permission using a API Get Help management-api , resource-servers	5	777	December 19, 2023
Getting Bad Audience while calling Custom API for Auth0 User Management Get Help auth0 , api , management-api , audience	7	8578	June 30, 2021
Receiving 401 for "Bad audience" when attempting to get a user Get Help management-api , users	4	842	July 6, 2023

Using Custom API with Permission getting "Unauthorized"

Related topics