I want to let users modify their accounts using exclusively client-side code and JWTs. It seems the Management API is necessary, but I’m unclear on permissions.
Linking user accounts seems to be possible with simple user JWTs:
But in general, the documentation seems to say the Management API needs a special JWT that should be used server side only.
For example is there any way to let a user directly change their password using this endpoint, with their own JWT?
I tried, but get a “Bad audience” error.
Also, if I understand correctly, and certain parts of the Management API (such as post_identities) can use user tokens, but other require special server only tokens (such as patching users) is this clearly specified somewhere?