Confusion about Management API Token Limitation

benjamin203 · June 29, 2022, 9:36am

“Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.”

Does this mean that I can still safely allow users of my SPA to change their user metadata when I have that functionality set up on my back-end? Meaning that the API token is not stored on the client side?

Does the fact that an application is SPA immediately mean that you’d put the API Token on the front-end? I am confused.

tyf · July 1, 2022, 10:04pm

Hi @benjamin203!

That’s correct!

Yes - Typically SPAs are public clients only (no backend) and thus tokens would be stored in the browser. This opens up the app to security vulnerabilities.

I shared some more info in this post of yours, hopefully that helps as well!

tyf · July 16, 2022, 10:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Calling management API to update user meta data from SPA Help user_metadata	4	4563	June 17, 2021
SPA Management API Token Help jwt , auth0 , management-api	2	1958	June 7, 2022
Is my application a SPA or Regular Web Application? (and the consequences)? Help jwt , auth0 , api , management-api , login	0	1876	June 28, 2022
Using Management API Help management-api , users	5	1295	March 24, 2023
How to update user_metadata from front-end directly Help	2	2991	April 19, 2021

Confusion about Management API Token Limitation

Related Topics