How to allow users to only update/delete their accounts through the management api

As a rookie building their first app, I used react + flask which uses auth0 to manage users.
I used this setup that does not require an API token in my front-end client I just forward the token to my backend API and it does the job.

Now my issue is any user can alter the request and send a delete or update request to my server with someone’s else id and the API will delete that user.
How can I make my backend check if the token passed and only delete or update that user if the token was actually issued to the user they trying to edit or delete?

If this has already an easy solution please don’t mind me as I stated before I’m still a rookie :smile:

Hey there @reda !

Are you able to elaborate on what you mean here? How are you obtaining this token and what exactly do you mean by API token?

No user should have access to a Management API token if this is what you are referring to - These should be handled on a backend strictly.

If you haven’t already I definitely recommend checking our our architecture docs to help get a high level overview of what you are looking to achieve. Most common use cases are outlined here:

The more information you can share on your environment and desired use case the better. Keep us posted!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.