Calling the Management API from an SPA

I’m a bit confused on how to go about this:

I want to call the “searchUsers” endpoint from my Vue.js SPA. But as I understand from the documentation, the access token given by auth0-spa-js does can not have the required scopes to call most of the Management API endpoints (read:users for example).

How could I then get a token to get information about other registered users from my SPA?
The backend for the application is a Spring Boot API, should I generate the token there and use that in the SPA?

But as I understand from the documentation, the access token given by auth0-spa-js does can not have the required scopes to call most of the Management API endpoints (read:users for example).

Yes, that’s correct. Scopes are limited in that regard.
Full scopes are only granted via M2M (Machine to Machine), which should be done from a secure application such as your backend.

The backend for the application is a Spring Boot API, should I generate the token there and use that in the SPA?

No, don’t pass the Management API access token to the SPA. Instead, proxy the search request from the SPA through your backend.
Your backend communicates via M2M / Client Credentials Exchange with the Auth0 Management API.
Your SPA communicates via your backend. So, create a search endpoint on your backend, take the query, and make the query call to the Auth0 Mgmt API. Then your backend passes on the response to your SPA.

1 Like

Much clearer now, thanks!

2 Likes

Glad we were able to help!

Other questions
I’m trying to implement web sns with spa. I want to be able to jump to other user account pages when I click a user’s icon in a posted comment. (Like Twitter.)

The comments above suggest that you need to use the backend Api for your server, but should you use spa-auth 0 to implement the main authentication and data retrieval for the current user, and only retrieve data when using an administrative Api to access user pages other than yours?

myApp is implemented in node.js.
Backend/API (node.js/Express) or Regular Web App (node.js) when using the management Api?

I implemented my solution as follows:

  • Authentication and current user data via the Authentication API (which is what auth0-spa-js uses)
  • All requests regarding data from other users (and app_metadata for current user) is done via the Management API.

I used this guide for getting the machine-to-machine token used to call the Management API for my back-end.

1 Like

Thanks a lot for sharing that with the rest of community @raimondlume!