When attempting to update an M2M (Machine-to-Machine) client grant in Auth0, particularly when adding existing scopes, users may encounter the following error.

Payload validation error: scope must be a subset of resource server scopes

This prevents any further modifications to the client grant via the Auth0 Dashboard.

• Auth0 Machine-to-Machine (M2M) applications

This error typically arises when the client grant associated with the M2M application and API is in an inconsistent state. Specifically, the client grant may contain scopes that are no longer valid or defined on the corresponding resource server (API).

The Auth0 Management Dashboard UI expects all scopes within a client grant to be valid and defined by the resource server. When it encounters undeclared or invalid scopes, it triggers a "ayload validation error and prevents UI-based updates.

To resolve this issue, the client grant needs to be updated programmatically to remove the invalid scopes and apply the correct, currently valid scopes. This must be done using the Auth0 Management API v2 to directly update (PATCH) the client grant. This allows invalid scopes to be removed and only valid ones to be included.

More details on how to perform this action in the Auth0 Management API v2 documentation can be found in the Auth0 Management API v2: PATCH Client Grants by ID documentation.