I’m not sure I completely understand. Wouldn’t any user be able to spoof a request from your app with the params and get admin privileges? Where are you keeping your list of admin?
Doing this via an API call or list in a rule would probably be more advisable. Are you assigning them a role in auth0? Like using the auth0 roles features?