Correct! In general, we recommend proxying requests through a backend if possible. While you can get a Management API access token in a SPA, the scopes/permissions are rather limited by design. Here’s a simple example using the node-auth0ManagementClient: