MFA Grant Type with SPA

Problem Statement

When assigning the MFA Grant type to a Single Page Application (SPA), we have received a security warning. Do you know whether the MFA Grant Type is allowed with SPAs?


As mentioned from the warning, using the MFA grant with a public client is not recommended. This aligns with the same principle that Auth0 does not issue access tokens with full scopes to the Management API for public clients (refer to the documentation). Since Single Page Applications (SPAs) cannot securely store sensitive data like client secrets, given that data is stored either in memory or the browser’s storage, it is not advisable to store access tokens scoped for Auth0 APIs in a public client.