So, you mentioned you are calling a couple of endpoints:
GET /api/v2/users/
No, this will not work. If you take a look at the table I included in my previous response and which is documented on Get Management API Access Tokens for Single-Page Applications, you cannot call GET /api/v2/users/
with an Access Token that was issued from a SPA. It is not included in the table. Please note that GET /api/v2/users/
is not the same as GET /api/v2/users/{id}
.
GET /api/v2/users/{id}
Now, this one should work as long as the ID parameter is the one of the current user. i.e. you can only retrieve information about yourself. This is why you need the read:current_user
scope for this endpoint as documented in the table and the documentation above. If you are actually trying to access the current user’s data but are receiving a 403 error, then the reason will probably be that the Access Token does not contain the needed scopes, such as read:current_user
.
All this means you cannot access information about other users when you are using an Access Token issued from a SPA. You can only access data about the current user.
You can’t request a full-scoped Access Token for the Management API from a SPA because SPAs are considered Public Applications. If you want to access any other user’s data (different from the current user), you cannot request the Access Token from your SPA. You must do it from a backend system of your choice instead: Get Management API Access Tokens for Production such as an M2M application.
How to implement the above and still use your SPA? Well, don’t pass the Management API Access Token to the SPA because as mentioned, your SPA is a public application. Instead:
- Proxy the Management API request from the SPA through your backend/API.
- Your backend then communicates via M2M / Client Credentials Exchange with the Auth0 Management API.
- Your SPA communicates via your backend so you might need to create the required endpoint on your backend, take the query, and make the query call to the Auth0 Management API. Then, your backend passes on the response to your SPA.
I hope all this makes more sense now.