Get Management API Tokens for Single-Page Applications
OIDC-conformant Resource Owner Password Credentials exchange
This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.
The Resource Owner Password Credentials exchange is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.
This document describes the differences of this flow between the legacy and OIDC-conformant authentication pipelines.
Available scopes and endpoints
- The returned Access Token is only valid for calling the /userinfo endpoint.
- A Refresh Token will be returned only if a
deviceparameter was passed and the
offline_accessscope was requested.
- The returned Access Token is valid for calling the /userinfo endpoint (provided that the API specified by the
RS256as signing algorithm) and optionally the resource server specified by the
- The ID Token will be forcibly signed using RS256 if requested by a public application.
- A Refresh Token will be returned only if the
offline_accessscope was granted.
Using a Management API Token to call the Management API from a SPA
ID Token structure
1. Retrieve a Management API Token
Access Token structure (optional)
- The returned Access Token is opaque and only valid for calling the /userinfo endpoint.
- The returned Access Token is a JWT valid for calling the /userinfo endpoint (provided that the API specified by the
RS256as signing algorithm) as well as the resource server specified by the
- Note that an opaque Access Token could still be returned if /userinfo is the only specified audience.
Standard password grant requests
The Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific
realm parameter. The standard OIDC grant is also supported when using OIDC authentication.
2. Call the Auth0 Management API
- Calling your APIs with Auth0 tokens
- User consent and third-party applications
- Custom user profile claims and
- scopesSingle Sign-on (SSO)
- Initiating authentication flows:
- Refresh Tokens
- Passwordless authentication
- List of breaking changes for OIDC-conformant applications