You’re correct in that the /users endpoint requires a management API token - Typically, this type of request is proxied through a backend that can management client credentials safely. The following FAQ is along the lines of what proxying through a backend will look like: