{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope, expected any of: example:scope",
"errorCode": "insufficient_scope"
}

• Management API Token
• Grants
• Insufficient Scope

It is possible some scopes were deleted or modified at some point under client grants.

Alternatively, some older tenants may have API Explorer applications that were created prior to the introduction of new scopes for the Management API, and need their permissions updated.

Using the Tenant Dashboard:

The API Explorer application's authorized permissions can be updated in the dashboard by going to Applications > API Explorer Application

Open the APIs tab, expand the dropdown for Auth0 Management API, and check the missing permissions required for the endpoints.  See the screenshot below for an example of adding read:refresh_tokens to the API Explorer Application's authorized permissions:

After checking the required permission(s) and selecting Update, fetching a new token should allow the request to succeed now it contains the correct scopes.

Using the Management API

Alternatively, the authorized permissions which are stored under the relevant client grant for the API Explorer + Auth0 Management API pair can be updated via the Management API:

1. Use the Get Client Grants (GET /api/v2/client-grants) endpoint to verify whether the API Explorer Application is missing the required Auth0 Management API grant, or find the required grant_id needing updates and its currently authorized scopes.
2. Use the Update Client Credentials (PATCH /api/v2/client-grants/{id}) endpoint to manually add back the missing scopes, ensuring to include all the other scopes from the initial GET endpoint response.