Management API not working from SPA

I’m trying to update user information in a Vue app to enable the user to edit their profile.
After getting a token with the correct audience and scopes I still get a 400 Bad HTTP authentication header format error.

       var auth0Authentication = new auth0.Authentication({
          domain: options.domain,
          clientID: options.clientId,

        return auth0Authentication.login({
          realm: 'Username-Password-Authentication',
          username: username,
          password: password,
          audience: 'https://' + options.domain + '/api/v2/',
        }, async (err, authResult) => {
          if (err) {
            this.error = err
            this.loading = false
          } else {
            console.log('authResult', authResult)

            var decodedAccessToken = jwtDecode(authResult.accessToken)
            console.log('decodedAccessToken', decodedAccessToken)

            var auth0Management = new auth0.Management({
              domain: options.domain,
              token: decodedAccessToken.azp,

            auth0Management.getUser(decodedAccessToken.sub, (err, user) => {
              console.log('err', err) // This is where I get an error
              console.log('user', user)


Hi @mjanowski,

Welcome to the Auth0 Community!

It looks like he might be running into a couple of issues here.

Hi @dan.woda,

I think I did try using authResult.accessToken first but the idToken was missing from the response which led me to start trying other things.

I have since added these scopes: scope: 'openid profile email address phone read:current_user update:current_user_metadata' and now I get both the idToken and accessToken with the right permissions so it’s working!

One thing I would like, which seems to not be possible currently is to be able to update user fields like name, given_name and family_name using patchUserAttributes(). I’ve got around that by setting metadata and using a rule to populate those fields but that is not an ideal solution.

You are not able to update those attributes from a SPA. This is because a token with those permissions, on the client, could be grabbed by the user and used to update those attributes without you (the admin) knowing.

You must make requests to update the user’s core attributes from a secure client like a backend or API.

But for some apps it makes sense for users to be able to update their own information. In my case I want the users to be able to edit their profile (names etc.) and I don’t want to have to build a backend for that.

Thanks for the added context. Currently, you will need to make that request from a secure backend.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.