How to get Management API accessToken silently while SPA was already configured for a custom API?

Hey there,

I am using React.js and the @auth0/auth0-react SDK. I have a custom backend API. So my Auth0Provider component is configured with the audience of that custom API.

However i also want the user to able to update user’s own user_metadata using the Management API. I have created a page component to get input from user and update the user_metadata with that input. So I need to get an accessToken for the Management API, and this is where the issue occurs. If I try to use ‘getAccessTokenSilently’ it redirect me to a page because I have already signed in for the custom API and so all the progress is lost, another way is to use getAccessTokenWithPopup. This way react.js prompts a popup page, and gets the accessToken without any need of additional login. But this triggers another issue. Popups are not that eye-pleasing and often gets blocked by the browser. So i have to use silent method somehow.

Hope you can help me. Thanks in advance.

Hi @AlperenOzturk,

Welcome to the Community!

You can specify a different audience with getAccessTokenSilently without being redirected to login, but you’d need to use a Custom Domain for this to work when third-party cookies are blocked.

The options available would be:

  • Proxy the Management API request in your own API - This is the recommended approach as it would allow you to implement your own business-specific data validation. It’s also not recommended to expose a Managment API Access Token in a public client that allows the user to update their metadata as explained in the docs:

Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.

  • Use a Custom Domain so that silent authentication would not fail and you’d be able to receive an Access Token
  • Use loginWithPopup as you are currently
1 Like

Thanks for the advice.

By saying Proxy the Management API over your custom API , do you mean that I must create a machine-to-machine application, send a request to my custom API backend using frontend, process that request at the backend server and then create a request using machine-to-machine client? If that’s what you mean i thought about this but sadly there is very low machine-to-machine request limit for Free Tier if I’m not wrong. If you mean something else please explain this to me a bit or direct me to a docs resource.

You’re welcome!

Yes, that is what I was referring to with the proxy option as described here:

Tokens requested for internal Auth0 API’s such as the Management API v2 (for example, when the audience is https://YOUR_DOMAIN/api/v2/) won’t count towards the M2M quota:

1 Like

Oh got it. Didn’t know about that. Proxy the request over my backend server seems the way to go then. Thanks for everything.

1 Like