Understood. Right now I’m only using access token with user_metadata and update:current_user_metadata (with Management API audience) so perhaps that’s all I’ll need — it seems pretty secure.
It does seem unsafe to store the Management API token in the SPA app. At least with the access token it’s only on the user’s browser and can only torpedo their own account if it gets hacked!
- Could you point me to the bits of the SPA code you’re talking about?
- Is the user ID (
"sub") always completely random?
I can always admin the management API locally, and if (2) is true the likelyhood of a brute force attack seems quite small.