Skip to main content
PATCH
/
resource-servers
/
{id}
TypeScript
import { ManagementClient } from "auth0";

async function main() {
    const client = new ManagementClient({
        token: "<token>",
    });
    await client.resourceServers.update("id", {});
}
main();
{
  "id": "<string>",
  "name": "<string>",
  "is_system": true,
  "identifier": "<string>",
  "scopes": [
    {
      "value": "<string>",
      "description": "<string>"
    }
  ],
  "signing_alg": "HS256",
  "signing_secret": "<string>",
  "allow_offline_access": true,
  "skip_consent_for_verifiable_first_party_clients": true,
  "token_lifetime": 123,
  "token_lifetime_for_web": 123,
  "enforce_policies": true,
  "token_dialect": "access_token",
  "token_encryption": {
    "format": "compact-nested-jwe",
    "encryption_key": {
      "alg": "RSA-OAEP-256",
      "pem": "-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBg...\r\n-----END PUBLIC KEY-----\r\n",
      "name": "<string>",
      "kid": "<string>"
    }
  },
  "consent_policy": "transactional-authorization-with-mfa",
  "authorization_details": [
    "<unknown>"
  ],
  "proof_of_possession": {
    "mechanism": "mtls",
    "required": true,
    "required_for": "public_clients"
  },
  "subject_type_authorization": {
    "user": {
      "policy": "allow_all"
    },
    "client": {
      "policy": "deny_all"
    }
  },
  "client_id": "<string>"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

id
string
required

ID or audience of the resource server to update.

Body

name
string

Friendly name for this resource server. Can not contain < or > characters.

Maximum string length: 200
Pattern: ^[^<>]+$
scopes
object[]

List of permissions (scopes) that this API uses.

signing_alg
enum<string>
default:HS256

Algorithm used to sign JWTs. Can be HS256 (default) or RS256. PS256 available via addon.

Available options:
HS256,
RS256,
RS512,
PS256
signing_secret
string

Secret used to sign tokens when using symmetric algorithms (HS256).

Minimum string length: 16
skip_consent_for_verifiable_first_party_clients
boolean

Whether to skip user consent for applications flagged as first party (true) or not (false).

allow_offline_access
boolean

Whether refresh tokens can be issued for this API (true) or not (false).

token_lifetime
integer

Expiration value (in seconds) for access tokens issued for this API from the token endpoint.

Required range: 0 <= x <= 2592000
token_dialect
enum<string>

Dialect of issued access token. access_token is a JWT containing standard Auth0 claims; rfc9068_profile is a JWT conforming to the IETF JWT Access Token Profile. access_token_authz and rfc9068_profile_authz additionally include RBAC permissions claims.

Available options:
access_token,
access_token_authz,
rfc9068_profile,
rfc9068_profile_authz
enforce_policies
boolean

Whether authorization policies are enforced (true) or not enforced (false).

token_encryption
object
consent_policy
enum<string> | null
Available options:
transactional-authorization-with-mfa,
null
authorization_details
any[] | null
proof_of_possession
object

Proof-of-Possession configuration for access tokens

subject_type_authorization
object

Defines application access permission for a resource server

Response

Resource server successfully updated.

id
string

ID of the API (resource server).

name
string

Friendly name for this resource server. Can not contain < or > characters.

is_system
boolean

Whether this is an Auth0 system API (true) or a custom API (false).

identifier
string

Unique identifier for the API used as the audience parameter on authorization calls. Can not be changed once set.

scopes
object[]

List of permissions (scopes) that this API uses.

signing_alg
enum<string>
default:HS256

Algorithm used to sign JWTs. Can be HS256 (default) or RS256. PS256 available via addon.

Available options:
HS256,
RS256,
RS512,
PS256
signing_secret
string

Secret used to sign tokens when using symmetric algorithms (HS256).

Minimum string length: 16
allow_offline_access
boolean

Whether refresh tokens can be issued for this API (true) or not (false).

skip_consent_for_verifiable_first_party_clients
boolean

Whether to skip user consent for applications flagged as first party (true) or not (false).

token_lifetime
integer

Expiration value (in seconds) for access tokens issued for this API from the token endpoint.

token_lifetime_for_web
integer

Expiration value (in seconds) for access tokens issued for this API via Implicit or Hybrid Flows. Cannot be greater than the token_lifetime value.

enforce_policies
boolean

Whether authorization polices are enforced (true) or unenforced (false).

token_dialect
enum<string>

Dialect of access tokens that should be issued. access_token is a JWT containing standard Auth0 claims; rfc9068_profile is a JWT conforming to the IETF JWT Access Token Profile. access_token_authz and rfc9068_profile_authz additionally include RBAC permissions claims.

Available options:
access_token,
access_token_authz,
rfc9068_profile,
rfc9068_profile_authz
token_encryption
object
consent_policy
enum<string> | null
Available options:
transactional-authorization-with-mfa,
null
authorization_details
any[] | null
proof_of_possession
object

Proof-of-Possession configuration for access tokens

subject_type_authorization
object

Defines application access permission for a resource server

client_id
string<client-id>

The client ID of the client that this resource server is linked to