Is it possible to manipulate user metadata without using a Management API token?

I have an Angular 4 app. I need to store some data about the user that they can edit. Does the app need the management API token in order to allow users to manipulate user metadata?

Given it’s a SPA there’s no secure way to obtain a full Management API token through client credentials because the application would not be able to securely maintain the client secret.

With this in mind, the usual approach is for you to proxy this type of requests through your own API which would mean the SPA itself would not be aware of the Management API. In general, this is a cleaner approach as simplifies things at the SPA level. As an alternative the SPA could request on behalf of the end-user an access token that could be used at the Management API to perform operation specific to that user. For example, the SPA could request an access token the Management API using the audience parameter and then include the scope update:current_user_metadata.

The above would mean the SPA could get an access token able to update the current user metadata. However, this also implies that the user is shown a consent screen where they can confirm if they let the application perform that operation on their behalf. As far as I’m aware, the consent screen cannot be avoided at this time so this is one more reason to prefer proxying the requests through your own API.

1 Like

Just to be clear: then the only way for a user to update their own metadata (not other user’s) is through the Management API with a token and some scope like update:current_user_metadata as you suggested?

Technically, the SPA could request the access token for the Management API directly if the operation it wants to performs only involves the current user, however, at this time this would trigger a consent screen to be shown and there’s not configuration available to disable that consent step so the above option of proxying the request would be my recommendation for improved user experience.