Need clarification on the Management API device credentials scopes for SPAs

I’ve found a few inconsistencies with the current_user_device_credentials scopes that are available for SPAs using the Auth0 Management API directly (versus proxying through a backend).

The documentation here indicates that create:current_user_device_credentials and delete:current_user_device_credentials scopes are available for the current user, and I can confirm that I’ve been able to get an access_token including these scopes, using the auth0-spa-js SDK. However:

  1. Missing read:current_user_device_credentials scope
    The Management API docs for Retrieve device credentials indicate that there is also a read:current_user_device_credentials scope that can be used for this API request. But when I request this scope, it is not returned in the access_token.

  2. delete:current_user_device_credentials scope not accepted
    Attempting to use this scope for Delete a device credential returns 403 with message: “Insufficient scope; expected: delete:device_credentials”. I’ve tried this both in Postman as well as the Management API Explorer.

  3. Create a device public key credential API endpoint not well documented
    Does this API endpoint mirror what you would end up with after a successful user-initiated Device Authorization Grant flow?

Thanks for your help!