Docs

Get Management API Tokens for Single-Page Applications

To call Auth0's Management API endpoints, you need to authenticate with a specialized Access Token called the Auth0 Management API Token. This token is a JSON Web Token (JWT) and contains specific granted permissions (also known as scopes. Because single-page applications (SPAs) are public clients, they cannot securely store sensitive information, such as the Client Secret, so they cannot retrieve this token in the same way as other application types.

SPAs can still retrieve tokens for the Management API, but they must do so from the frontend, and the Access Token will be issued in the context of the user who is currently signed in to Auth0. Although this restricts the token to certain scopes and limits updates to only the logged-in user's data, it can be useful for actions such as updating the user profile.

With a Management API Token issued for a SPA, you can access the following scopes, and hence endpoints:

Scope for current user Endpoint
read:current_user GET /api/v2/users/{id}
GET /api/v2/users/{id}/enrollments
update:current_user_identities POST/api/v2/users/{id}/identities
DELETE /api/v2/users/{id}/identities/{provider}/{user_id}
update:current_user_metadata PATCH /api/v2/users/{id}
create:current_user_metadata PATCH /api/v2/users/{id}
delete:current_user_metadata DELETE /api/v2/users/{id}/multifactor/{provider}
create:current_user_device_credentials POST /api/v2/device-credentials
delete:current_user_device_credentials DELETE /api/v2/device-credentials/{id}

Example: Get Management API Token to retrieve user profile

In this example, we retrieve a Management API Token and use it to retrieve the full user profile of the currently logged-in user.

  1. Authenticate the user (using the Implicit grant) by redirecting them to the Authorization endpoint, which is where users are directed upon login or sign-up:

If you are not familiar with authentication for SPAs, see Implicit Flow.

Notice:

  • The audience is set to https://YOUR_DOMAIN/api/v2/ (representing your tenant's Management API URI)
  • The response_type is id_token token (indicating that we want to receive both an ID Token as well as an Access Token, which represents the Management API Token)
  • The requested scope is read:current_user

After we receive our tokens, decoding the Access Token and reviewing its contents reveals the following:

Notice:

  • The aud is set to the audience you provided when authenticating (your tenant's API URI)
  • The granted scope is read:current_user
  • The sub is the user ID of the currently logged-in user
  1. Retrieve the user profile from the Get User by ID endpoint. Include the Management API Token in the Authorization header of the request:



Keep reading