tyf
August 25, 2023, 11:52pm
3
Hello @mike.benza welcome to the community!
mike.benza:
Do I need to worry about the user editing their user_metadata
if I don’t “build a form using the Management API?” How would the user even get a management API token? They can obviously see their access token once you give it to them, but AFAICT there’s no way for them to get a management API token (rightly).
It is possible to obtain a limited Management API token client side. If the access token is scoped properly (read only) then you shouldn’t need to worry about a user editing metadata, but it is still generally recommended to handle this server side.
The following FAQ outlines this exact scenario:
Question: How can I enable users to change their email address from a SPA or native app?
Answer:
Public clients (like SPAs and native applications) are restricted from requesting tokens for the management API with the proper scopes for updating a user’s email. These types of applications are limited to a few specific scopes . Because of these limitations, email change requests from public clients must flow through a backend or proxy API. This could be a serverless function with the sole purpose…
Hope this helps!