Get non-restricted access tokens with serverless backend (hasura)

Hello and a happy new year to everyone.

I am implementing auth0 into an Angular-SPA that uses hasura as “serverless backend”. For the SPA I have created an application in Auth0, didn’t create an API for this purpose though. All working fine so far…

Now the customer wants to add functionality to get all users, change their roles, etc., so I will need a non-restricted access token. This is not recommended for SPAs but it should be handled via a backend.

I am quite new to both, Auth0 and Hasura and this doesn’t seem to be a normal usecase, so I didn’t find anything helpfull so far on the internet.

How can I utilize Auth0 or/and Hasura to handle the access token for full access?

Thank you.

Hi @Philosofer,

Welcome to the Auth0 Community, and a happy new year!

To get an access token in Auth0 to use the Management API, you will need to Call Your API Using the Client Credentials Flow.

Once you have the access token, you can use it to get all users, change their roles, and more.

Does that help?

Thanks!

Hi rueben.tiow!

Thank you for the reply.

The article you shared describes how to use the access token to call own Apis.

In this case I would use the System Api “Auth0 Management API” that was already automatically created in Auth0 when I registered and created the app.

I got that correct so far?

I am a bit confused because the article is about M2M Applications, I do have an SPA though that uses hasura as “backend”.

Hi @Philosofer,

Thank you for your response.

Yes, that’s correct. You will use the Management API in this case, instead of an API you created.

Before we continue, could you please clarify whether you are looking to update these users on the Auth0 or Hasura side?

Thank you.

The existing app is written with Angular. A regular backend doesn’t exist, only hasura is used for the current needs.

So far I used Auth0 to just handle authentication in the app, now there is a need to update users from the SPA-Side.

The customer wants admins to be able to update users within the SPA. That is the main problem. In Auth0 I added roles via rules and limit access to the user management within the App by the Authguard. Doesn’t feel right, but without a proper backend I don’t see another way.

Following these instructions https://auth0.com/docs/secure/tokens/access-tokens/management-api-access-tokens I understand, that it is not possible/recommended to do it via the SPA only.

If that is true, the question is, if I can get Management Api Access Tokens without a backend or via a serverless backend.