Getting "Unauthorized - invalid credentials."
Everytime while making Kinde api call, I'm getting "Unauthorized - invalid credentials."
I'm also velidating my token using
validateToken() method from @kinde/management-api-js package, though my token is valid now it's returning error: "Unauthorized - invalid credentials."3 Replies
Hi Parth,
Thanks for reaching out. Could you please provide the following details:
1. Which SDK are you using (e.g.,
@kinde/management-api-js), and what is its version?
2. How are you generating the access token? Are you using a Machine-to-Machine (M2M) application, and have you authorized it correctly for the Kinde Management API? https://docs.kinde.com/developer-tools/kinde-api/connect-to-kinde-api
3. Have you ensured that the necessary scopes are selected for your M2M application? Missing scopes can lead to unauthorized errors. https://docs.kinde.com/developer-tools/kinde-api/troubleshoot-kinde-api
4. When using the validateToken() method from the SDK, are you passing the correct audience and issuer parameters? Incorrect values can result in validation failures.
Providing this information will help us pinpoint the issue more accurately and guide you toward a solution.@Kinde Bot @Ask Inkeep
1. I'm using
"@kinde/management-api-js": "^0.13.0"
2. I'm generating token from the frontend JS application only and sending it to backend
3. I've defined all the necessary scopes
4. In validateToken() method, I'm only passing token, not passing audience as it is optional (It was working fine without audience before)
All things were working very fine, but now it's giving that Unauthorized error
The only change I've done in Kinde is that I've added custom domain, so issuer in token is now changed to new domain, instead of kinde default provided one.
So, now I'm using that custom domain as KINDE_DOMAIN in my application for frontend and in management api. Can I use that or not? @AdminHi Parth,
Thanks for sharing the details of your setup. While authentication flows (like user logins) can use your custom domain (e.g.,
For the Management API and machine-to-machine applications, you must use your original Kinde subdomain (e.g.,
Even if you have a custom domain, the Management API’s access token endpoint remains: Although the
1. You’re obtaining the Management API access token via your Kinde subdomain (not the custom domain).
2. Any calls to the Management API are also directed to the original Kinde subdomain. Let me know if you have any further questions. Hi Parth, Just checking in to see if you’re still experiencing the “Unauthorized - invalid credentials” issue after the guidance provided regarding using your original Kinde subdomain for the Management API tokens. If the problem persists, please let us know so we can continue assisting you. Otherwise, I’ll proceed to close this ticket. Feel free to reach out anytime if you have other questions or need further help.
account.example.com), tokens obtained from your custom domain cannot be used with the Management API.For the Management API and machine-to-machine applications, you must use your original Kinde subdomain (e.g.,
your-business.kinde.com). This also means that your Management API tokens must be obtained using the client_credentials flow directly with your Kinde subdomain.Even if you have a custom domain, the Management API’s access token endpoint remains: Although the
validateToken() method may have worked without specifying audience and issuer previously, the introduction of a custom domain can sometimes require these parameters to be explicitly set, especially if tokens were obtained from the custom domain.
In the meantime, could you please double-check that:1. You’re obtaining the Management API access token via your Kinde subdomain (not the custom domain).
2. Any calls to the Management API are also directed to the original Kinde subdomain. Let me know if you have any further questions. Hi Parth, Just checking in to see if you’re still experiencing the “Unauthorized - invalid credentials” issue after the guidance provided regarding using your original Kinde subdomain for the Management API tokens. If the problem persists, please let us know so we can continue assisting you. Otherwise, I’ll proceed to close this ticket. Feel free to reach out anytime if you have other questions or need further help.