So it sounds like you’re trying to get a token in order to call the Auth0 Management API from a SPA context (see here for more details). Correct? Tokens used for calling the Auth0 Management API are Access Tokens, so you will also need to specify the Auth0 Management API as the audience in the call to authorise; read:current_user and update:current_user_identities are scopes typically returned as part of the Access Token, not the ID Token.