I am working on a MEAN stack application and was just curious on the best way of calling the Management API. Should I wrap the calls to Auth0 in my Express back-end or make the calls directly from my front-end services? Wrapping it in the back-end would lead to an extra request as they are hosted on different servers. Just curious what everyone else is doing and what is considered best practice for this.
Management API calls require an access_token obtained via a Client Credentials grant flow, hence should not be performed from the frontend (The client credentials flow requires the client_secret, which a SPA frontend cannot store securely).
Calls to the Management API should be proxied through your backend to securely perform a Client Credentials exchange to obtain and cache the access_token. This is outlined further in this document.