Hi Han.
In general, SPAs can not get a token for the management API v2, unless it’s for one of the scopes that affect the currently logged user (like read:current_user
). This is further explained in this document: Get Management API Access Tokens for Single-Page Applications (the one you linked).
The /authorize
request mentioned in the doc is the token request. In a SPA you would probably use something like auth0Client.loginWithPopup(params);
, to present a popup for the user interaction (to avoid losing the state of the app).
params
would be an object where you’d have at least:
{
"audience":"https://your_auth0_domain/api/v2/",
"scope": "the desired scopes"
}
remember that an SPA would have the scope limited to those of the currently logged user. If you need more generic access, you’ll need to access it from a backend application that can execute a client-credentials flow to exchange a client ID and client secret for a token (as explained in https://auth0.com/docs/api/management/v2/tokens).