SPA with Auth0.js and Management API – consent required

Hey! I could definitely do with some “Developer Success” today … I’m working with an SPA that uses Auth0 for authentication and authorization (using Auth0.js) and I want to update the user’s image.

The only way to update the metadata of the currently logged in user is to use the Management API, right?

According to this doc Get Management API Access Tokens for Single-Page Applications I should be able to obtain an access token for the Management API by using the audience https://MY_DOMAIN/api/v2/ and the scope (in my case, update:current_user_metadata).

After my user has logged in, I call webAuth.checkSession with that audience and scope, but I get a consent_required error. (I’m using as the domain and added it to the allowed web origins for my app.)

Am I missing something or is this expected behaviour?


Later Addition: I am able to get an access token for the Management API if I use the authorize endpoint and then grant access in the popup. But I don’t want my users to see this dialogue, as it will be very confusing (“I should give access to WHAT to WHOM?!”). Can I skip consent or get the access token for the Management API when the user logs in? (I think the latter question was already answered several times in this community, and the answer is no …)


same problem here exactly…

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

Hey Konrad, thanks for reaching out. Actually, we gave up on that issue because it wasn’t a priority, but some help would still be appreciated (especially seeing that other people have the same problem). Haven’t touched this in a while, but if you need more info, I can check.


Hey there @ryan_r!

Sorry for the delay in response once again but sometimes the number of questions we get is too much for three people team. So I discussed it with the team and they have some thoughts to share.

You’re correct with you last assumption which is that you can’t skip consent. What you should be using know is the doc you mentioned:

but instead of auth0-js you should go for our new SDK for SPAs:

Thank you and once more sorry for any inconvenience!