Create a Machine-to-Machine application in your Auth0 tenant and authorize it to call the Management API with the specific scopes needed (e.g., read:users, update:users, read:roles, create:role_members)
Obtain a Management API access token by posting to your tenant's /oauth/token endpoint with grant_type=client_credentials, your app's client_id, client_secret (YOUR_SECRET), and the Management API audience
Search and retrieve users with GET /api/v2/users using the q query parameter (Lucene syntax) or GET /api/v2/users/USER_ID for a specific user; use the fields parameter to limit response size
Create or update roles with POST /api/v2/roles or PATCH /api/v2/roles/ROLE_ID; assign users to a role with POST /api/v2/roles/ROLE_ID/users providing a JSON body with a users array of user IDs
Block a user by patching their profile with blocked: true via PATCH /api/v2/users/USER_ID; delete a user permanently with DELETE /api/v2/users/USER_ID
Paginate list responses using the page and per_page query parameters or the checkpoint pagination parameters (from and take) for large user bases; Management API endpoints are rate-limited per tenant
Known gotchas
Management API tokens expire (typically after 24 hours); cache the token and refresh it before expiry rather than requesting a new one on every API call
The Management API rate limits are per-endpoint and per-tenant, not per-token; bursting many user operations in a loop will trigger 429 responses — implement exponential backoff
Deleting a user in Auth0 does not automatically remove them from downstream systems or revoke issued tokens; ensure your application handles logout and downstream deprovisioning separately
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp