Resource Owner (Legacy)
⚠️ LEGACY ENDPOINT - This endpoint is part of the legacy authentication pipeline and is deprecated.
Status: Part of legacy pipeline. New applications should not use this endpoint.
Migration: Use /oauth/token with grant_type=password (Resource Owner Password Flow) or preferably use redirect-based flows like Authorization Code Flow with PKCE.
This endpoint allows you to authenticate a user using their username and password.
Authorizations
The access token received from the authorization server in the OAuth 2.0 flow.
Body
Your application's Client ID
The user's username or email
The user's password
The name of the database connection
Must be 'password'
password Space-delimited list of requested scopes
Used for delegation flows
Device identifier
Response
Successful authentication
Successful token response containing access token and optionally ID token and refresh token
The access token issued by the authorization server. Use this token to access protected resources (APIs).
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMzQ1In0..."
The type of the token issued. Always 'Bearer' for Auth0.
Bearer "Bearer"
The lifetime in seconds of the access token. After this time, the token will expire and can no longer be used.
86400
The refresh token which can be used to obtain new access tokens. Only returned if 'offline_access' scope was requested.
"v1.MRHbz1VqR_y42v..."
The ID Token containing user profile information. Only returned if 'openid' scope was requested. This is a JWT containing user claims.
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
The scopes granted by the authorization server. May differ from requested scopes.
"openid profile email"