POST /oauth/token/custom_claims returns 405 in version 0.8.3

[KaiLuettmann]

Hello,
I'm testing the POST /oauth/token/custom_claims endpoint in version 0.8.3 and I noticed that it always returns 405 Method Not Allowed, even when following the JSON format from the documentation. I want to make sure I'm not missing anything on my side, so I’m sharing my test results and a minimal reproducible example in the attached ZIP file.

Steps to Reproduce

1. Unzip the attached repository.
2. Start localauth0 with the included docker-compose.yml and minimal localauth0.toml.
3. Run the test scripts:

# PowerShell
.\repro.ps1

# Bash
./repro.sh

---

Both scripts perform POST requests to /oauth/token/custom_claims in two variants:

Variant 1 – value as string

{
  "custom_claims": [
    {
      "name": "custom_claim_field_name",
      "value": "custom_claim_field_value"
    }
  ]
}

Variant 2 – value as array

{
  "custom_claims": [
    {
      "name": "custom_claim_field_name",
      "value": ["custom_claim_field_value_1","custom_claim_field_value_2"]
    }
  ]
}

---

Observed Behavior

• All POST requests return:

HTTP/1.1 405 Method Not Allowed
Request did not meet this resource's requirements

---

Expected Behavior

• The endpoint should accept a JSON body with one or more custom claims (string or array values) and return a success confirmation (e.g., HTTP 200 or similar), rather than an error.

---

Additional Observations

• GET /oauth/token/custom_claims returns HTML (Web UI).
• GET /permissions/<audience> works as expected and returns JSON.

---

Notes

• It's possible that I'm misunderstanding the intended usage of this endpoint.
• All other configuration (TOML path, container setup, etc.) works fine.

---

Environment

• localauth0 version: 0.8.3

[kmoorejr9]

Can confirm that this issue persists on version 0.9.0 as well.

[cpiemontese]

Hey! Thanks to @kmoorejr9 we released 0.9.1 which should solve this, let us know

[KaiLuettmann]

I tested this in version 0.9.1. The GET /oauth/token/custom_claims endpoint is now working and returning proper JSON!

However, the documentation in the README for the POST request seems to be outdated, which caused the 400 Bad Request in my previous tests. The parser expects a typed object (String or Vec) rather than a flat value.

Here is the correct payload format that works in v0.9.1:

For a String value:

{
  "custom_claims": [
    {
      "name": "custom_claim_field_name",
      "value": {
        "String": "your string value"
      }
    }
  ]
}

For an Array (List of strings):

{
  "custom_claims": [
    {
      "name": "custom_claim_field_name",
      "value": {
        "Vec": ["value_1", "value_2"]
      }
    }
  ]
}

Since the endpoint itself is working fine now, feel free to close this issue or keep it open for a documentation update, whichever you prefer. Thanks for the fix!