Auth0 Home Blog Docs

Allow certain users to perform Management API actions



How will I get management API tokens based on logged in users roles?

Do I create one token for each user and then store it at users-scope. I could then fetch them from users profile. However, this would imply the token must not expire.


Due to the nature of the operations allowed through the Management API you should treat tokens issued to it with care, more specifically, it’s not recommended to store them in association with user data or even disclose them to end-users as that increase the chances of leakage.

If you want to provide an administration client application so that certain highly privileged users can perform management tasks associated with your account the recommended approach would be:

  1. Expose the administrative actions through your client application with the proper authorization checks.
  • A user would only be allowed to trigger the action if it had the necessary permissions/roles.
  1. From the server-side component that handles the previously authorized requests obtain the tokens with the minimum scopes required to perform the management actions through a client credentials grant.
  2. Call the management API with the token to perform the action.

The above approach is a rough description of what should happen; the important parts are that tokens are obtained and used only by server-side components (less chances of them leaking) and access to the endpoints that perform management API actions must have proper authorization checks to ensure that the user in question has the necessary permissions to perform such action.


Ok, thank you for your answer. I understand that I can create a admin-client and give scopes to that but I dont want to create a client for each role.

What about this? I have a client where I log in and recieve a token for user. The token contains roles/permissions for that user. I make a call to my backend/api with that token. I then check the permission based on the route.

var authCheck = jwt({
  secret: new Buffer('shhhhhhhhh', 'base64'),
  audience: 'myaudience'

var guard = function (req, res, next) {
  while (true) {

    if (req.path.startsWith('/claim') || req.path === '/claim') {
      var permissions = 'myClaimReadPermisson'];
      for (var i = 0; i < permissions.length; i++) {
        if (req.user.permissions.includes(permissions*)) {
        } else {
          res.status(403).send({ message: 'Forbidden' });
    // if down here then not found
    res.status(500).send({ message: 'Not found' });


If the route is usermanagement then I will create a management-token

var options = {
        method: 'POST',
        url: '',
        headers: { 'content-type': 'application/json' },
        body: '{"client_id":"CLIENT_ID","client_secret":"shhhhhh","audience":"AUDIENCE","grant_type":"client_credentials"}'

    request(options, function (error, response, body) {
        if (error) throw new Error(error);
        // set token to cache
        success = myCache.set("myManagementToken", body, 86400);

But I still cant role-base my management api token based on users roles/permisisons.
I want role A to only read the users
I want role B to update and read the users…etc…*