Hi @scott.stern06,
One important thing to remember about SPAs is that they live on the client and can be inspected by any user that has access. Because of that, they are quite limited in what scopes they should receive, as anyone who gets that token can access your management API and all scopes that the token contains.
Users should be able to update their user_metadata. This information is typically used for things like address, or other user-controlled data. If you want to change something like a user role, or something you don’t want the user to have access to that will have to be done via your backend.
Let me know if I missed anything,
Thanks,
Dan