The requests between your backend API and the Auth0 Management API are should be separated from the user. You should request a separate token, using the client credentials grant (client_id and client_password in exchange for an Access Token).
The flow would go like this:
- User login returns Access Token through the SPA with your backend API as the audience
- SPA makes requests to your backend API with the User’s Access Token
- Your backend validates the request and token and requests its own Access Token with the Management API as the audience (M2M Access Token)
- Backend API makes any request to the Management API with the M2M Access Token
There are two Access Tokens in this scenario.
- A token for requests from SPA → backend API (user Access Token)
- A token for requests from backend API → Management API (M2M Access Token)
I’m not sure where this is stated, or if this is specific to laravel. I can look into it if you provide a link to the source.