How to allow users to only update/delete their accounts through the management api

reda · February 18, 2023, 12:48pm

As a rookie building their first app, I used react + flask which uses auth0 to manage users.
I used this setup that does not require an API token in my front-end client I just forward the token to my backend API and it does the job.

Now my issue is any user can alter the request and send a delete or update request to my server with someone’s else id and the API will delete that user.
How can I make my backend check if the token passed and only delete or update that user if the token was actually issued to the user they trying to edit or delete?

If this has already an easy solution please don’t mind me as I stated before I’m still a rookie

ty.frith · February 22, 2023, 2:54am

Hey there @reda !

Are you able to elaborate on what you mean here? How are you obtaining this token and what exactly do you mean by API token?

No user should have access to a Management API token if this is what you are referring to - These should be handled on a backend strictly.

If you haven’t already I definitely recommend checking our our architecture docs to help get a high level overview of what you are looking to achieve. Most common use cases are outlined here:

The more information you can share on your environment and desired use case the better. Keep us posted!

Topic		Replies	Views
Get Authorization Api Token Get Help management-api	4	890	September 26, 2023
Safely delete a user via Management API Get Help delete-user	3	4192	June 2, 2020
How to get access tokens from auth0 management API? Get Help api	8	5885	April 1, 2021
How to create, update, delete and search users using API call Get Help auth0 , api , management-api	5	7291	February 25, 2021
Using token from Custom API to Auth0 Management API Get Help	3	5480	June 13, 2019

How to allow users to only update/delete their accounts through the management api

Related topics