Do you plan on only updating userMetadata? As Management API Access Tokens in a SPA are limited in scope, it may be easier/more flexible to add metadata as a custom claim(s) in tokens and access it through the user object directly. As far as updating a user, if you need to update more than userMetadata it would be best to consider proxying the request through a backend service - This allows for fully scoped Management API Access Tokens: