You can indeed authorize a second time to use a different audience and as a consequence obtain an access token suitable to another API, however, you mention that one of the two audiences being used is the Management API. In this situation I would consider the following, only request an audience targeting your API and obtain access tokens meant for the Management API only through a client credentials flow that would be performed by your API/ Node server.
The above would mean that any access to the Management API would be brokered through your own API and the client application would only manage access tokens associated with your own API (the Management API access tokens would only be available with the server-side of your API).
In addition, the scope openid profile
grants access to user profile information, but email is not included in the set of properties associated with the profile
scope. If you also want to have access to the email address, you should also include the email
scope. In relation to user metadata, since this is not standard information you’ll need to use custom claims if you want to include it in the issued ID token. Finally, in order for the access tokens issued to your API to also be usable in the /userinfo
endpoint you need to ensure that your API is configured to use RS256
as the signing method.