How can an admin retrieve organization members using only an access token (without Management API & client_secret)?

luiss.dimatteo · February 21, 2025, 3:02pm

Hello everyone,

I am currently implementing a system where an admin of an Auth0 Organization needs to retrieve the list of members in their organization. However, I want to avoid using the Management API because it requires a Machine-to-Machine (M2M) token, which in turn requires storing and exposing a client_secret—something I want to avoid for security reasons.

My Setup:

I have Organizations enabled in my Auth0 tenant.
I can successfully authenticate as an admin and obtain an access_token with my organization.
I would like to retrieve the list of users that belong to my organization using only the access_token of an authenticated admin.

Key Questions:

Is there any alternative way for an admin to retrieve only the users of their own organization without requiring the Management API?
Can the access_token issued to an authenticated admin include a scope or permission that allows fetching the organization’s users?
If this is not possible directly, what is the recommended approach to securely expose this information without requiring a backend service that holds a client_secret?
Would it be possible to leverage ID tokens, user metadata, or custom claims to achieve this?

I appreciate any insights, best practices, or workarounds that the community can suggest. Thanks in advance!

rueben.tiow · February 21, 2025, 7:45pm

Hi @luiss.dimatteo,

Unfortunately, the only way to get a list of users in an Organization is by using the Management API to get an access token to make a request to the Get members endpoint.

The best approach is to use the Management API for this scenario. While you might be able to leverage ID tokens, user metadata or custom claims to achieve this, it might reach its size limit if you have too much data stored.

Thanks,
Rueben

luiss.dimatteo · February 21, 2025, 8:02pm

Hi Rueben,

Thanks for your response! I understand that the Management API is the official way to retrieve organization members. However, in a multi-tenant setup with multiple organizations, I can’t share my client_secret with all admins.

How do I ensure that Company A cannot modify users from Company B, given that the Management API operates at the tenant level? Is there a way to scope API access per organization to avoid security risks?

Is there an enterprise-friendly?

Looking forward to your insights! Thanks again.

Topic		Replies	Views
Get organization members and their roles in Management API Help management-api , roles	2	1546	June 30, 2023
How do i obtain an id token using the management API Help	2	2120	November 26, 2021
How to get access_token with organization in non-interactive mode Help apis , application	3	690	September 16, 2023
Access token for machine-to-machine API Help management-api , users	7	5085	November 29, 2022
Management API usage Help management-api , users	0	88	July 4, 2024

How can an admin retrieve organization members using only an access token (without Management API & client_secret)?

My Setup:

Key Questions:

Related topics