I am not sure how this is ‘secure’ or safe enough that others wouldn’t not abuse.
To have auth0 send an email to a user to reset their password…all i had to do was perform following post
var response = await _client.PostAsync(“dbconnections/change_password”, content);
where content contained the client_id and user’s email address.
While I recognize only that user could reset their password, it seems that others could hack around and force my application to send emails out if all they really had to know is my application client_id and a users email address. Is client_id considered very private and not to be put in any js /c# code?