I do not know if this is the best solution. So I created a separate endPoint getGuestToken in my API which is public available. Next, in Auth0, i created a M2M application. Within the getGuestToken endpoint I call the authorize of auth0 to get an accessToken. Seems to work.
Next challenge:
- Protect the getGuestToken endPoint so it can only be called from the SPA url
- In the SPA, I am still figuring out how to use the returned authorization code together with the auth0-sdk.