To learn some new technologies, I am building a small chat application that allows users to send messages to each other. I have set up my app with auth0 for client authentication and user management. My chat messages include the sub of a user as the unique author_id.
Now, for my use case, I would like everyone who has received a message to pull up a small user profile card for the message author. This means querying the user management system with the author_id to retrieve the user profile.
I have found the get users by id endpoint which seems to fit my needs. The problem here is that this API requires a management API token, which will not be available on the client side.
Should I set up a pass-through API which authorizes users based on their app JWT token? Or should I be looking at a different approach (the fact that this API requires a management token seems to suggest so)?
You’re correct in that the /users endpoint requires a management API token - Typically, this type of request is proxied through a backend that can management client credentials safely. The following FAQ is along the lines of what proxying through a backend will look like: