Hey @simon.vuong, I can see your cause of confusion. Usually calling the management API is reserved for machine-to-machine scenarios and is not something you would want to perform on the client side.
This is a special case, however (although not very well documented, I admit). There are a few management API scopes that you can request during a regular authentication. Here’s an example:
var auth0 = new auth0.WebAuth({
domain: 'AUTH0_DOMAIN',
clientID: 'CLIENT_ID',
responseType: 'token id_token',
redirectUri: 'REDIRECT_URI',
audience: 'https://AUTH0_DOMAIN/api/v2/',
scope: 'openid profile email update:current_user_metadata'
});
auth0.authorize();
This will return an access token that can be used to call the management API - in this case that only can update the current user’s metadata.
Only the scopes that Anny listed in her answer can be requested like this. Note that all those scopes have to do with current_user - who is logged in at the moment, hence it’s safe to use them in the client-side. You do not need to create a separate machine-to-machine app to use this.
Makes sense?