I’m adding support for user self-administration via our existing API. I’m not too worried about a user updating their username or email (even email is shaky), but I’m unclear to how to safely allow a user to change their password or delete their account. Yes, they need a valid API token, but that’s not hard for a hacker to acquire, and then all you need is a valid Auth0 user ID. Is there a way to require their password as well, for such operations?
Scenario is: user wants to change their email, username, password, or delete their account in a mobile app. Mobile app asks our API to do the work, API uses machine-machine token to Auth0 Management API to oblige.
Any advice for securely providing access to Management functions via a machine-to-machine client API? Thanks!