Skip to content

Commit c2c275b

Browse files
committed
Clarify credential id is required for ip allowlist update
1 parent 8a9a558 commit c2c275b

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

main/docs/secure/call-apis-on-users-behalf/token-vault/privileged-worker-token-exchange-with-token-vault.mdx

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,11 +64,20 @@ Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>
6464
Content-Type: application/json
6565
{
6666
"token_vault_privileged_access": {
67-
"credentials": [{"id": "<YOUR CREDENTIAL ID>"}]
67+
"credentials": [{"id": "<YOUR_CREDENTIAL_ID>"}]
6868
}
6969
}
7070
```
7171

72+
If you need to look up the credential id, retrieve it with a GET request:
73+
74+
```bash lines
75+
GET https://{yourDomain}.auth0.com/api/v2/clients/{yourClientId}
76+
Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>
77+
```
78+
79+
The `token_vault_privileged_access.credentials[].id` field in the response contains the credential ID.
80+
7281
### Configure IP allowlist
7382

7483
To restrict which IP addresses may make Privileged Worker exchange requests, configure an `ip_allowlist` on your client. This binds the client credential to known server egress IPs, so a leaked credential cannot be used from an arbitrary IP address. Both IPv4 and IPv6 addresses and CIDR ranges are supported, with a maximum of 10 entries.
@@ -79,7 +88,8 @@ Authorization: Bearer <YOUR_MANAGEMENT_API_ACCESS_TOKEN>
7988
Content-Type: application/json
8089
{
8190
"token_vault_privileged_access": {
82-
"ip_allowlist": ["<YOUR_SERVER_IP_ADDRESS>", "<YOUR_CIDR_RANGE>"]
91+
"credentials": [{"id": "<YOUR_CREDENTIAL_ID>"}],
92+
"ip_allowlist": ["<YOUR_SERVER_IP_ADDRESS>"]
8393
}
8494
}
8595
```

0 commit comments

Comments
 (0)