Confusion about Management API Token Limitation

“Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.”

Does this mean that I can still safely allow users of my SPA to change their user metadata when I have that functionality set up on my back-end? Meaning that the API token is not stored on the client side?

Does the fact that an application is SPA immediately mean that you’d put the API Token on the front-end? I am confused.

Hi @benjamin203!

That’s correct!

Yes - Typically SPAs are public clients only (no backend) and thus tokens would be stored in the browser. This opens up the app to security vulnerabilities.

I shared some more info in this post of yours, hopefully that helps as well!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.