Confusion about Management API Token Limitation

benjamin203 · June 29, 2022, 9:36am

“Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.”

Does this mean that I can still safely allow users of my SPA to change their user metadata when I have that functionality set up on my back-end? Meaning that the API token is not stored on the client side?

Does the fact that an application is SPA immediately mean that you’d put the API Token on the front-end? I am confused.

tyf · July 1, 2022, 10:04pm

Hi @benjamin203!

That’s correct!

Yes - Typically SPAs are public clients only (no backend) and thus tokens would be stored in the browser. This opens up the app to security vulnerabilities.

I shared some more info in this post of yours, hopefully that helps as well!

tyf · July 16, 2022, 10:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Calling management API to update user meta data from SPA Help user_metadata	4	4570	June 17, 2021
Access Management Api from React Help	7	4165	October 28, 2021
SPA - User update own user metadata Help api	2	3336	May 26, 2021
SPA Management API Token Help jwt , auth0 , management-api	2	1958	June 7, 2022
How to get access tokens from auth0 management API? Help api	8	4376	April 1, 2021

Confusion about Management API Token Limitation

Related topics