Get Management API Tokens for Single-Page Applications
In certain cases, you may want to use Auth0's Management API to manage your applications and APIs rather than the Auth0 Management Dashboard.
To call any of the endpoints in the Management API, you must authenticate using a specialized OpenID Connect (OIDC) protocolAccess Token called the Management API Token. Management API Tokens are JSON Web Tokens (JWTs) that contain specific granted permissions (also known as scopes) for the Management API endpoints you want to call.
Ways to use scopes
Because single-page applications (SPAs) are public clients and therefore cannot securely store sensitive information (such as a Client Secret), they must retrieve Management API Tokens from the frontend, unlike other application types.
This means that Management API Tokens for SPAs have special limitations. Specifically, they will be issued in the context of the user who is currently signed in to Auth0, which limits updates to only the logged-in user's data. Although this restricts use of the Management API, it can still be used to perform actions related to updating the logged-in user's user profile.
Available scopes and endpoints
With a Management API Token issued for a SPA, you can access the following scopes (and hence endpoints):
|Scope for current user||Endpoint|
Requested scopes versus granted scopes
Using a Management API Token to call the Management API from a SPA
In this example, we will retrieve a Management API Token from a SPA and use this token to call the Auth0 Management API to retrieve the full user profile of the currently logged-in user.
1. Retrieve a Management API Token
audienceis set to
https://YOUR_DOMAIN/api/v2/.By default, an API representing the Auth0 Management API is registered for you when you create your tenant in the Auth0 Dashboard. The
audiencevalue represents the registered Management API's URI for your tenant.
id_token token(indicating that we want to receive both an ID Token as well as an Access Token, which represents the Management API Token).
- The requested
read:current_user. This scope will allow us to call either of the two endpoints listed in the table above for this scope.
When we receive our Management API Token, it will be in JSON Web Token format. Decoding it and reviewing its contents will reveal the following:
audis set to the
audienceyou provided when authenticating (your tenant's Management API URI).
- The granted
scopeis what you requested when you authenticated:
subis the user ID of the currently logged-in user.
2. Call the Auth0 Management API
Call the Auth0 Management API to retrieve the logged-in user's user profile from the Get User by ID endpoint. We can call this endpoint because we requested and were granted the proper
read:current_user) during authentication.
To call the endpoint, include the encoded Management API Token you retrieved in the
Authorization header of the request. Be sure to replace the
MGMT_API_ACCESS_TOKEN placeholder values with the logged-in user's user ID (
sub value from the decoded Management API Token) and the Management API Access Token, respectively.
||ID of the user for which you want to retrieve the user profile. Because of the limitations placed on Management API Tokens for SPAs, this should be the user ID for the logged-in user, which can be found in the
||Access Token for the Management API with the scope