Get Management API Access Tokens for Single-Page Applications
In certain cases, you may want to use Auth0's Management API to manage your applications and APIs rather than the Auth0 Management Dashboard.
To call any Management API endpoints, you must authenticate using a specialized Access Token called the Management API Token. Management API Tokens are JSON Web Tokens (JWTs) that contain specific granted permissions (also known as scopes) for the Management API endpoints you want to call.
Limitations
Since single-page applications (SPAs) are public clients and cannot securely store sensitive information (such as a Client Secret), they must retrieve Management API Tokens from the frontend, unlike other application types. This means that Management API Tokens for SPAs have certain limitations. Specifically, they are issued in the context of the user who is currently signed in to Auth0 which limits updates to only the logged-in user's data. Although this restricts use of the Management API, it can still be used to perform actions related to updating the logged-in user's user profile.
Available scopes and endpoints
With a Management API Token issued for a SPA, you can access the following scopes (and hence endpoints).
Scope for Current User | Endpoint |
---|---|
read:current_user |
GET /api/v2/users/{id} GET /api/v2/users/{id}/enrollments |
update:current_user_identities |
POST/api/v2/users/{id}/identities DELETE /api/v2/users/{id}/identities/{provider}/{user_id} |
update:current_user_metadata |
PATCH /api/v2/users/{id} |
create:current_user_metadata |
PATCH /api/v2/users/{id} |
delete:current_user_metadata |
DELETE /api/v2/users/{id}/multifactor/{provider} |
create:current_user_device_credentials |
POST /api/v2/device-credentials |
delete:current_user_device_credentials |
DELETE /api/v2/device-credentials/{id} |
Use Management API token to call Management API from a SPA
You can retrieve a Management API Token from a SPA (using the Management API’s audience to generate it) and use the token to call the Management API to retrieve the full user profile of the currently logged-in user.
Retrieve a Management API token.
Authenticate the user by redirecting them to the Authorization endpoint, which is where users are directed upon login or sign-up.
When you receive the Management API Token, it will be in JSON Web Token format.
Decode it and review its contents.
Call the Management API to retrieve the logged-in user's user profile from the Get User by ID endpoint.
To call the endpoint, include the encoded Management API token you retrieved in the
Authorization
header of the request.Be sure to replace the
USER_ID
andMGMT_API_ACCESS_TOKEN
placeholder values with the logged-in user's user ID (sub
value from the decoded Management API token) and the Management API access token, respectively.