Prevent user from accessing management API *at all*

Hi there,

It appears our users can login to the out-the-box “Auth0 Management API” with the following scopes:

read:current_user
update:current_user_identities
update:current_user_metadata
create:current_user_metadata
delete:current_user_metadata
create:current_user_device_credentials
delete:current_user_device_credentials

Where is this defined and how can we stop them from doing so; it’s a constant mind exercise when considering the security of our application because we have to consider “What if the user changed their metadata or linked their accounts etc. without going through our API”.

TBH, I really struggle to understand the concept of the “Auth0 Management API” and why it sits alongside our own API; i.e. if we want a user to update their name, we want to go via our API which, chances are, would then authenticate and authorise the API call, apply our own business logic and subsequently call into the Auth0 Management API (with full admin permissions).

This pattern is the same as any other third party API (and even our own DB), e.g. if a user wants to update their payment methods in Stripe, they wouldn’t be issued an access token for the Stripe API, but rather they’d go via our API and again, we’d authenticate and authorise the API call, apply our own business logic and then call into Stripe with full admin permissions.

Not sure if somebody can perhaps shed some light on this?