Management API token for SPA

Hi there,

I have SPA for which I want to get management API token to update user profile and reset password. I am not getting Management API token.

I went through this:

This redirected me to :

Which asks me to create M2M application as described here:

I already have default M2M application in my apps. On this page:
It then asked me to get Management API token via POST call to


with credentials of M2M application. Parameters asks for audience and client_secret. Even after passing Management API audience I am getting 401.

I even tried this suggestion: Need help accessing Management API using react-auth0-spa-js

It is working only with loginWithPopup method and the management API token I receive is not getting the scopes I requested.

Could someone please help me in getting out of these?

Hi @rushi.thakker,

Welcome to the Community!

We don’t recommend requesting management API tokens in SPAs. The first link you posted talks about why that is.

Instead, you should send that request to your backend or API and have that machine to machine application make the request on behalf of your SPA.

Does that make sense?

Hi @dan.woda,

Sorry for late reply. We had to roll over that feature to the next sprint of our project. First link tells me about limitations and that I can get management API token to update logged in users details. This is possible, right?

If so, can you please guide me into depth of it as to where am I making mistake?

Thanks and Regards

This is only partially correct. You can update the current user’s user_metadata, which is an object that is specifically designed for the user to have control over.

You cannot update things like email, password, and other parts of the user’s profile with management API tokens for SPAs.

With that said, we still don’t recommend requesting them in SPAs. You should do this from your backend.

1 Like

Thanks @dan.woda for quick response.

One last question: Currently, we have a backend API to update user profile data and to create new users. Everything is working fine but Management API is taking too long to respond. It is taking 4-5 seconds to get response.

Could you please let us know anyway to optimise it or if we are doing anything wrong?

Thanks and Regards

1 Like

That is unusually long. Which endpoints are you using?

hi @dan.woda, we are using Get Users, update user and create user end point. We’re using the Java Client to connect to the Auth0 Management API.
First, we generate a management Api token which takes around 1-3 seconds and then call the above APIs which take average response time of 3-4 seconds each.

We’re not able to find any reason.

PS - We hardly have 10-15 users and we don’t even retrieve all of them at once(apply a filter on user_metadata field)

Are you getting a new token for each call?

No @dan.woda, only one token which we reuse in subsequent calls.

Can you post the code to the call so I can take a look?

hi @dan.woda

		AuthAPI authAPI = new AuthAPI(issuer, clientId, clientSecret);
		AuthRequest authRequest = authAPI.requestToken(managementURL);
		TokenHolder holder;
		try {
			holder = authRequest.execute();
		} catch (Auth0Exception e) {
		return holder.getAccessToken();

Once I get the token I execute the below code

			ManagementAPI mgmt = new ManagementAPI(issuer, token);
			UserFilter filter = new UserFilter().withTotals(true).withQuery("user_metadata.y:1")
		.withFields("user_id,email,given_name,family_name,email_verified,created_at,updated_at", true);
users = mgmt.users().list(filter).execute().getItems();

These two steps are taking 4-5 seconds. I don’t have any business logic over this.
With create API, the time increases to 8.

@dan.woda Can you please look into this? I have also raised a new issue here. Can you please have a look at it?

I tried this call against the management API and my total duration is about 80ms for the user call.

Here is the GET with params. Not sure why this would take 4-5 seconds, especially if you already have the access token cached.`

What environment are you testing this on, what region are you in, is it local or are you using a cloud deployment?

Have you tried the raw request in postman?