Auth0 "access_denied" from the token endpoint in CI
Auth0 returned access_denied: the client is valid but not authorized to obtain a token for the requested audience, or an Auth0 Action/Rule denied it. Often the M2M app is not authorized for that API.
What this error means
A client_credentials request returns "error":"access_denied" with "Client is not authorized to access ...". The audience API grant is missing for the app.
Auth0
{"error":"access_denied","error_description":"Client is not authorized to access \"https://api.example.com\". You need to create a client-grant associated to this API."}Common causes
No client grant for the requested API
The M2M application has not been authorized for the audience API, so Auth0 denies the token.
A rule or action blocked the request
A custom Auth0 Action or Rule can deny the grant based on the client or environment.
How to fix it
Authorize the app for the API
- In Auth0, open the API and authorize the M2M application.
- Grant the specific scopes the CI job needs.
- Request a token with the matching audience.
Check custom Actions for denials
If a client-grant exists but access_denied persists, review Auth0 Actions/Rules that may reject the client or environment.
How to prevent it
- Create the client grant when adding a new API for CI.
- Scope M2M apps to only the APIs they call.
- Keep environment checks in Actions permissive for CI clients.
Related guides
Auth0 "Grant type not allowed for the client" in CIFix Auth0 "Grant type 'X' not allowed for the client" in CI - the Auth0 application does not have the request…
OAuth2 "invalid_grant" from the token endpoint in CIFix OAuth2 "error":"invalid_grant" from the token endpoint in CI - the authorization code, refresh token, or…
Okta "E0000004 Authentication failed" in CIFix Okta "errorCode":"E0000004","errorSummary":"Authentication failed" in CI - a primary auth call with wrong…