Welcome to the Auth0 Community, Victor!
I assume you are implementing a SPA. The best solution for you will depend on what you want to achieve because Management API Tokens for SPAs have certain limitations. Specifically, they are issued in the context of the user who is currently signed in to Auth0 which limits updates to only the logged-in user’s data. Although this restricts the use of the Management API, it can still be used to perform actions related to updating the logged-in user’s user profile.
Important: Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata.
You have many more details about all of the above on Get Management API Access Tokens for Single-Page Applications
Now, if you want to issue non-restricted Access Tokens because your use case requires it, the only secure solution would be to request them from a backend, so from what I understood you are in the right path. This means following Get Management API Access Tokens for Production from your backend.
I hope this clarifies a bit.