Hi @auth0-ikearg,
You should be making these requests from a secure backend.
Management API tokens issued to public clients (SPAs) are very limited in scope. For example, if your react app was able to update a user’s roles, the user themselves could inspect the application, extract the token, and change their own roles.
Try proxying this request through your backend/API.