While testing how to easily exchange username and password credentials for tokens?

I want to create an API to call for debugging purposes during development. Currently I have to set a breakpoint in my Android app to collect a valid bearer token to use for testing purposes. Clearly this is a pain and I was wondering what is the best route to go when calling my Auth0 API.

Here is the code I’ve tried but for whatever reason it doesn’t like the bearer token I get back.

var client = new RestClient($"https://{_options.Domain}/oauth/ro");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", $"{{\"grant_type\":\"password\",\"client_id\": \"{_options.ClientId}\",\"client_secret\": \"{_options.ClientSecret}\",\"audience\": \"{_options.ApiIdentifier}\", \"username\": \"matthew.vincent.hartz+1@gmail.com\", \"password\": \"Password1\", \"connection\": \"Username-Password-Authentication\", \"scope\": \"openid\"}}", ParameterType.RequestBody);
//request.AddParameter("application/json", $"{{\"grant_type\":\"password\",\"client_id\": \"{_options.ClientId}\",\"client_secret\": \"{_options.ClientSecret}\",\"audience\": \"{_options.ApiIdentifier}\", \"username\": \"email\", \"password\": \"password\", \"connection\": \"Username-Password-Authentication\", \"scope\": \"openid\"}}", ParameterType.RequestBody);
var response = client.ExecuteAsync(request, s =>

return Ok();

If you have a username/password credentials user then you can perform a resource owner password credentials (ROPC) grant to exchange those credentials directly with tokens.

The thing to have in mind is that, at this moment, there are multiple endpoints that allow you to perform a ROPC. The reasons for multiple endpoints is due to new feature sets being released and the need to not immediately break application that already existed.

More specifically, the currently recommended approach to perform a ROPC grant that allows you to also request an access token to call your own API is to call the /oauth/token endpoint. For reference information on how to call this endpoint see this documentation page.

In conclusion, your problem is motivated by you calling the /oauth/ro endpoint which has been superseded by /oauth/token for all new developments.

Thanks @jmangelo . I will accept your answer when i get home and try locally :slight_smile:

Thanks @jmangelo . I will accept your answer when i get home and try locally :slight_smile: