“Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.”
Does this mean that I can still safely allow users of my SPA to change their user metadata when I have that functionality set up on my back-end? Meaning that the API token is not stored on the client side?
Does the fact that an application is SPA immediately mean that you’d put the API Token on the front-end? I am confused.