Management API: can I create a client *without* a bearer token?

I have an existing app which an end-user configures as their own website (the app “turns into” a website with lots of customisations). The final website does not yet have SSO, and I’m looking at Auth0 to provide this functionality.

Auth0 doesn’t appear to have any way to let the configuration program create a new tenant, so my roadmap looks like this:

  1. The end-user manually signs up to Auth0, and creates a single tenant (the end-user is generally not technically literate, so can’t be asked to do anything “difficult”)

  2. The end-user supplies their new client domain, ID, and secret to my config program

  3. My config program creates a new M2M client with the management API

  4. My config program uses the new management API to fix everything up (add users, set text on the login page, and so on)

I’ve been playing with the API, and I can do most of this, but there’s one (big) problem. Step (3) requires bearer authorisation, but this isn’t available until after step (3). Catch-22.

Is there some way around this? Or do I have to ask the end-user to manually create two apps?