The recommended practice for your scenario is to obtain the access token to call the Management API by performing a client credentials grant. This grant does not imply or require user credentials, it obtains a token by providing only client application credentials (id and secret). In addition, have in mind that this grant can only be used by confidential client applications that are able to maintain the assigned secret secret.
You’re using this from a back-end so that certainly qualifies as a confidential client; if this back-end is already part of an application represented in Auth0 as a regular web application than you can reuse the client information to perform the client credentials grant; if not you can just create a new non-interactive client application to represent it. In both cases you’ll need to authorize it to call the Management API; see the reference docs on how to obtain Management API tokens for more information.
With the above approach there would not be a refresh token, but the client credentials would be an equivalent as they would also allow to continue to request new access tokens when the previous one expires. As an additional note, tokens sent to API’s are generally referred to as access tokens while ID tokens are tokens issued as part of OpenID Connect and that represent information about the user that performed authentication into a certain client application.