I’ve found a few inconsistencies with the current_user_device_credentials scopes that are available for SPAs using the Auth0 Management API directly (versus proxying through a backend).
The documentation here indicates that
delete:current_user_device_credentials scopes are available for the current user, and I can confirm that I’ve been able to get an access_token including these scopes, using the auth0-spa-js SDK. However:
The Management API docs for Retrieve device credentials indicate that there is also a
read:current_user_device_credentialsscope that can be used for this API request. But when I request this scope, it is not returned in the access_token.
delete:current_user_device_credentialsscope not accepted
Attempting to use this scope for Delete a device credential returns 403 with message: “Insufficient scope; expected: delete:device_credentials”. I’ve tried this both in Postman as well as the Management API Explorer.
Thanks for your help!