Auth0 Home Blog Docs

Managment API Best Practice

api
management-api
authnticate-api
authnticap-api

#1

I am working on a MEAN stack application and was just curious on the best way of calling the Management API. Should I wrap the calls to Auth0 in my Express back-end or make the calls directly from my front-end services? Wrapping it in the back-end would lead to an extra request as they are hosted on different servers. Just curious what everyone else is doing and what is considered best practice for this.


#2

Management API calls require an access_token obtained via a Client Credentials grant flow, hence should not be performed from the frontend (The client credentials flow requires the client_secret, which a SPA frontend cannot store securely).

Calls to the Management API should be proxied through your backend to securely perform a Client Credentials exchange to obtain and cache the access_token. This is outlined further in this document.


#3