I’m trying to better understand how much access an authenticated user has to their metadata. There’s conflicting documentation on it. On the User Details page in the Management console it calls user_metadata "
Data that the user has read/write access to (e.g. color_preference, blog_url, etc.)".
On Understand How Metadata Works in User Profiles, it says “This data can be edited by logged in users if you build a form using the Management API and should not be used as a secure data store.” but then later it says “A user can request an access token with the appropriate scopes and use the following Management API endpoints to view, create, update, and delete user_metadata .”
Do I need to worry about the user editing their user_metadata if I don’t “build a form using the Management API?” How would the user even get a management API token? They can obviously see their access token once you give it to them, but AFAICT there’s no way for them to get a management API token (rightly).
It is possible to obtain a limited Management API token client side. If the access token is scoped properly (read only) then you shouldn’t need to worry about a user editing metadata, but it is still generally recommended to handle this server side.