Using Custom API with Permission getting "Unauthorized"

Gerarca · January 24, 2024, 3:15pm

Hello! I created one API and I added 2 Permission, this is the configure:

and I enable to my aplication type machine to machine:

so, each time that I try to update some date I got this:

1. error: "Unauthorized"
2. message: "Bad audience: https://dev-app/api/v1"
3. statusCode: 401

why?? what’s wrong

this’s the endpoint that I’m using:

scope: update:current_user_metadata
endpoint: [PATCH /api/v2/users/{id}]

I was checking the token that I’m sending through endpoint, I checked it with jwt.io and the PAYLOAD:DATA is right

so I check too the grant_types of my application type machine to Machine:

is right too

tyf · January 24, 2024, 4:15pm

Hey there @Gerarca!

Judging by the error, the audience param you are using to authorize (and subsequently the audience claim in your access token) is different than the audience of the endpoint you are attempting to use the access token against.

If you are indeed attempting to PATCH users at /api/v2/users then you will need to be sure you are passing a Management API access token in the request. This access token will need to have an audience of https://{yourDomain}/api/v2/

Gerarca · January 24, 2024, 6:17pm

Hello @tyf

I’m working with a SPA, so checking Get Management API Access Tokens for Single-Page Applications I see:

Password changes through the PATCH /api/v2/users/{id} endpoint are not possible with a Management API Token issued for a SPA.

that is so sad

what is the better way to change the password??

tyf · January 24, 2024, 11:08pm

That is correct, Management API Tokens obtained directly through a SPA are limited in scope by design.

The most common way of going about this is using a backend to serve as proxy for the SPA making calls against the management API:

If you’re interested, here is an example of what this might look like in a Node backend - This extends our standard auth0-react sample app.

Gerarca · January 26, 2024, 1:16pm

Thanks @tyf

Worked it for me!

tyf · January 26, 2024, 4:29pm

No problem, happy to help! Glad you were able to get it working

system · February 9, 2024, 4:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Bad Audience when using a custom API JWT.io jwt , api	12	25846	September 3, 2019
Bad Audience - 401Unauthorized Help users , roles	5	7827	July 18, 2019
Bad Audience Error Knowledge Articles management_api , scope , user_metadata , update	1	1377	April 19, 2023
401 - Bad Audience Help management-api , users	3	1840	July 5, 2023
Receiving 401 for "Bad audience" when attempting to get a user Help management-api , users	4	805	July 6, 2023

Using Custom API with Permission getting "Unauthorized"

Related Topics