Auth0 Support Center - Troubleshooting the "access

Troubleshooting the "access_denied" Error

Sep 10, 2025

Overview

This article explains why the following error occurs when an application reaches the end of a flow and provides steps for resolution:

access_denied

Applies To

Troubleshooting
access_denied error

Cause

The access_denied error occurs when Auth0 cannot issue a token, meaning authorization is refused. This error can stem from various sources.

The error_description parameter in the response typically provides specific details about the cause. Examples of error_description values include:

Service not found: […some invalid audience provided in the token request…]
User has canceled the interaction.

Custom Rules or Actions configured within Auth0 are common triggers for access_denied errors. These scenarios include:

Rules or Actions explicitly denying access:
- A Rule can be coded to return a callback that directly denies login, leading to this error. For example:
```
function(user, context, callback) {
  if (someCondition()) {
    return callback("You can't log in");
  }
  [...]
}
```
- Similarly, an Action can explicitly deny access using api.access.deny() like below:
```
exports.onExecutePostLogin = async (event, api) => {
  api.access.deny("You can't log in");
};
```
- In both these scenarios, the resulting error_description parameter will typically contain the message: You can't log in
Uncaught errors in Rules or Actions:
- Runtime errors that occur within the execution of a Rule or Action, if not caught and handled, also lead to access_denied errors.
- For example, consider a Rule that attempts to read a property from an object that is undefined:
```
function(user, context, callback) {

  // if user_metadata is not defined, this will cause a 
  // runtime error
  const favorite_color = user.user_metadata.favorite_color;
  [...]
}
```
- If user.user_metadata is indeed undefined when this Rule executes, a runtime error occurs.
- This runtime error is then surfaced as an access_denied error, and the error_description parameter will reflect the specific details of the runtime error:
  Can't access property "favorite_color" of undefined
Supplying an incorrect CLIENT_SECRET can result in an access_denied error.

Solution

For a demonstration of this issue, refer to the following video.

To troubleshoot the error:

Review the configuration and implementation of any relevant Auth0 Actions.
Verify that the correct CLIENT_SECRET is used during the authentication process.

NOTE: When using Auth0 Rules, if a Rule's callback function returns a new UnauthorizedError("some message") object, the system generates an unauthorized error, rather than an access_denied error. For example, a Rule configured as follows:

function(user, context, callback) {
  if (someCondition()) {
    return callback(new UnauthorizedError("You can't log in"));
  }
  // [...]
}


Will produce the following error details:

error=unauthorized 
error_description=You can't log in