Upon signup auth0 automatically sends email verification, but what I am trying to implement is, add Resend Email Verification button on frontend application, which will request auth0 to resend verification email (in case the user loses the previous email verification email). I figured out that, I need to call this API in Auth0 Management API, which needs a scope update:users, but the accessToken I got from auth0 only has openid, users and email scope.
So the question is
- How do I add scope to the accessToken generated by auth0? So that I could call Auth0 Management API.
- Is adding scope a good practice?
- Another approach to this could be, creating a Machine to Machine application that will have the update:users scope. I will also create a backend service that will store application secret id and, my frontend application will call my backend endpoint which will call the Auth0 Management API on behalf of me to resend the verification email. This approach might work but the concern is this a good approach?
If not what might be the best approach?