Hi,
I want my backend which uses the management API to be permitted to read only the users’ information without the users’ app metadata.
I created an M2M app and defined the permissions for the Auth0 management API only to read:users without the read:users_app_metadata permission.
But with this permission, I was still able to read the whole user data including the user’s app metadata.
Is there a way to limit the permissions to be able to read users without the app metadata?
Alternatively, if I define only the read:users_app_metadata permission, which endpoint do I use to retrieve only the user’s app metadata? This permission is not sufficient to call the get_users endpoint so which endpoint this permission is good to?
Hi @david27,
Welcome to the Auth0 Community!
I understand that you are looking for a way to use the Management API to read the user’s profile without the user’s app_metadata.
Unfortunately, it is not possible to get the user’s profile without the app_metadata. That is, the app_metadata will always be a part of the user profile response.
When using the Management API, the Access Token used for making requests will always contain all the scopes (permissions) and cannot be modified.
Instead, please use the Authentication API /userinfo endpoint to get the user profile without the app_metadata. If needed, the app_metadata can be added separately using a Auth0 Action.
I hope this helps!
Please let me know if you have any questions.
Thank you.