Load User Profiles Client Side

Hello, I want to load the user’s profile similar to the Management API’s /api/v2/users/{user_id}

The SPA uses account linking and I need this information in the front end so that I can prompt a user to refresh their account link (and access token) for sub accounts when it has expired. I can’t call the Management API to load an access token client side as it would require sharing the client id and secret with the browser, which is totally reckless.

/userinfo is too shallow and doesn’t contain the profiles of the sub identities like the deprecated version of the API does.

I ended up making a pass through api that checks that a user is authenticated and then loads their user profile from /api/v2/users/{user_id}. I don’t believe there should be any security concerns, but thoughts? Also, why do access_tokens stick around in a user’s profile after they’ve expired?