Management API Access Tokens
To call the Auth0 Management API v2 endpoints, you need to authenticate with an access token called the Auth0 Management API token. These tokens are JSON Web Tokens (JWTs) which contain specific grant permissions known as scopes.
Get Management API tokens
The first time you get a Management API token for testing is when you authorize a machine-to-machine application in the Dashboard. Depending on what you are using the Management API for, there are different ways to get Management API tokens:
-
Testing: You can get a test token manually by following the prompts on the Auth0 dashboard.
Production: Auth0 recommends that you get a short-lived token programmatically for production.
Single page applications (SPAs): Because SPAs are public clients and cannot securely store sensitive information, they must retrieve Management API tokens from the frontend, unlike other application types. There are some limitations.
Token lifetime
A Management API token is valid for 24 hours. Create a new access token when the old one expires.
Token security
When using the token for testing purposes, you can change the expiration time, however Auth0 recommends that you use short-lived tokens to minimize security risks. You cannot renew or revoke a Management API token.
Compromised token: If a token has been compromised, you can delete the application grant to prevent new tokens from being issued using the Management API
/delete_client_grants_by_id
endpoint or by manually deauthorizing the API application in the Dashboard.Compromised client secret: If your client secret has been compromised, you can rotate the client secret using the Management API
/post_rotate_secret
endpoint or by clicking the Rotate icon in the application's settings in the Dashboard.
Token quotas
Tokens issued for Auth0 APIs (Management API, Authentication API, MFA API, etc.) do not count toward the M2M token quota listed in the Dashboard. Only tokens with external audiences count toward your quota. See Auth0 Management API Rate Limits for details.
Token quota limits are broken down by subscription tier. See Auth0 Pricing for details. You can access your current quota in the Auth0 Support Center. If you have questions about pricing or quotas, please direct them to our sales team.