Creating a custom API won’t work. You’ll need to use the default Auth0 Management API.
which has access to everything
If this is the concern, you can always create a new non-interactive app (in Applications) and give it permission for Auth0 Management API with only the required scopes. It won’t have access to the other scopes.