Get Management API Tokens for Single-Page Applications

In certain cases, you may want to use Auth0's Management API to manage your applications and APIs rather than the Auth0 Management Dashboard.

To call any of the endpoints in the Management API, you must authenticate using a specialized Access Token called the Management API Token. Management API Tokens are JSON Web Tokens (JWTs) that contain specific granted permissions (also known as scopes) for the Management API endpoints you want to call.


Because single-page applications (SPAs) are public clients and therefore cannot securely store sensitive information (such as a Client Secret), they must retrieve Management API Tokens from the frontend, unlike other application types.

This means that Management API Tokens for SPAs have special limitations. Specifically, they will be issued in the context of the user who is currently signed in to Auth0, which limits updates to only the logged-in user's data. Although this restricts use of the Management API, it can still be used to perform actions related to updating the logged-in user's user profile.

Available scopes and endpoints

With a Management API Token issued for a SPA, you can access the following scopes (and hence endpoints):

Scope for current user Endpoint
read:current_user GET /api/v2/users/{id}
GET /api/v2/users/{id}/enrollments
update:current_user_identities POST/api/v2/users/{id}/identities
DELETE /api/v2/users/{id}/identities/{provider}/{user_id}
update:current_user_metadata PATCH /api/v2/users/{id}
create:current_user_metadata PATCH /api/v2/users/{id}
delete:current_user_metadata DELETE /api/v2/users/{id}/multifactor/{provider}
create:current_user_device_credentials POST /api/v2/device-credentials
delete:current_user_device_credentials DELETE /api/v2/device-credentials/{id}

Please note that the above scopes (and therefore limits) are rate limited.

Using a Management API Token to call the Management API from a SPA

In this example, we will retrieve a Management API Token from a SPA and use this token to call the Auth0 Management API to retrieve the full user profile of the currently logged-in user.

1. Retrieve a Management API Token

Authenticate the user (using the Implicit grant) by redirecting them to the Authorization endpoint, which is where users are directed upon login or sign-up:


If you are not familiar with authentication for SPAs, see Implicit Flow.


  • The audience is set to https://YOUR_DOMAIN/api/v2/. By default, an API representing the Auth0 Management API is registered for you when you create your tenant in the Auth0 Dashboard. The audience value represents the registered Management API's URI for your tenant.
  • The response_type is id_token token (indicating that we want to receive both an ID Token as well as an Access Token, which represents the Management API Token).
  • The requested scope is read:current_user. This scope will allow us to call either of the two endpoints listed in the table above for this scope.


When we receive our Management API Token, it will be in JSON Web Token format. Decoding it and reviewing its contents will reveal the following:

  "iss": "https://YOUR_DOMAIN/",
  "sub": "auth0|5a620d29a840170a9ef43672",
  "aud": "https://YOUR_DOMAIN/api/v2/",
  "iat": 1521031317,
  "exp": 1521038517,
  "azp": "YOUR_CLIENT_ID",
  "scope": "read:current_user"


  • The aud is set to the audience you provided when authenticating (your tenant's Management API URI).
  • The granted scope is what you requested when you authenticated: read:current_user.
  • The sub is the user ID of the currently logged-in user.

2. Call the Auth0 Management API

Call the Auth0 Management API to retrieve the logged-in user's user profile from the Get User by ID endpoint. We can call this endpoint because we requested and were granted the proper scope (read:current_user) during authentication.

To call the endpoint, include the encoded Management API Token you retrieved in the Authorization header of the request. Be sure to replace the USER_ID and MGMT_API_ACCESS_TOKEN placeholder values with the logged-in user's user ID (sub value from the decoded Management API Token) and the Management API Access Token, respectively.

curl --request GET \
  --url 'https://YOUR_DOMAIN/api/v2/users/USER_ID' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN'
var client = new RestClient("https://YOUR_DOMAIN/api/v2/users/USER_ID");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer MGMT_API_ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_DOMAIN/api/v2/users/USER_ID"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.get("https://YOUR_DOMAIN/api/v2/users/USER_ID")
  .header("authorization", "Bearer MGMT_API_ACCESS_TOKEN")
var request = require("request");

var options = {
  method: 'GET',
  url: 'https://YOUR_DOMAIN/api/v2/users/USER_ID',
  headers: {authorization: 'Bearer MGMT_API_ACCESS_TOKEN'}

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer MGMT_API_ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/api/v2/users/USER_ID"]
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_DOMAIN/api/v2/users/USER_ID",
    "authorization: Bearer MGMT_API_ACCESS_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

headers = { 'authorization': "Bearer MGMT_API_ACCESS_TOKEN" }

conn.request("GET", "/YOUR_DOMAIN/api/v2/users/USER_ID", headers=headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/api/v2/users/USER_ID")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["authorization"] = 'Bearer MGMT_API_ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer MGMT_API_ACCESS_TOKEN"]

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/api/v2/users/USER_ID")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? HTTPURLResponse

Value Description
USER_ID ID of the user for which you want to retrieve the user profile. Because of the limitations placed on Management API Tokens for SPAs, this should be the user ID for the logged-in user, which can be found in the sub claim of the decoded Management API Token.
MGMT_API_ACCESS_TOKEN Access Token for the Management API with the scope read:current_user.

Keep reading