Skip to content

Commit d2f2957

Browse files
pmalouinclaude
andauthored
fix: add missing step to assign downstream API permissions to roles in OBO quickstart (#1317)
The "Call Your API on a User's Behalf" page was missing a step to assign the downstream API's `read:private` scope to the roles created earlier, which would cause the OBO token exchange flow to fail silently for users following the guide. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 9b921a7 commit d2f2957

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

auth4genai/mcp/get-started/call-your-apis-on-users-behalf.mdx

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import MCPGetStartedCreateRoles from "/snippets/mcp/get-started/config-tenant/ro
1616
import CreateProfile from "/snippets/mcp/get-started/create-custom-token-exchange-profile.mdx";
1717
import CreateMCPAPI from "/snippets/mcp/get-started/create-mcp-api.mdx";
1818
import AssignPermissionsToRoles from "/snippets/mcp/get-started/config-tenant/assign-permissions-to-roles.mdx";
19+
import AssignDownstreamPermissionsToRoles from "/snippets/mcp/get-started/config-tenant/assign-downstream-permissions-to-roles.mdx";
1920
import { DownloadQuickstartButton } from "/snippets/download-quickstart/DownloadQuickstartButton.jsx";
2021
import MCPGetStartedTestingInstructions from "/snippets/mcp/get-started/testing-instructions.mdx";
2122
import CreateEnvFile from "/snippets/mcp/get-started/call-your-apis/create-env-file.mdx";
@@ -128,6 +129,8 @@ auth0 api post resource-servers --data '{
128129

129130
Save the API identifier (audience) from the output; you'll configure it in your environment variables as `API_AUTH0_AUDIENCE`.
130131

132+
<AssignDownstreamPermissionsToRoles />
133+
131134
## Sample app
132135
<Tabs>
133136
<Tab title="Javascript" icon="js">
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
<Accordion title="Assign permissions to roles">
2+
3+
After creating the downstream API and roles, assign the `read:private` permission to the roles.
4+
5+
```shell wrap lines
6+
# Example for admin role
7+
auth0 roles permissions add YOUR_ADMIN_ROLE_ID --api-id "http://localhost:8787/" --permissions "read:private"
8+
9+
# Example for user role
10+
auth0 roles permissions add YOUR_USER_ROLE_ID --api-id "http://localhost:8787/" --permissions "read:private"
11+
```
12+
13+
Replace `YOUR_ADMIN_ROLE_ID` and `YOUR_USER_ROLE_ID` with the role IDs you saved when creating the roles.
14+
15+
</Accordion>

0 commit comments

Comments
 (0)