Hello!
I know that Management API tokens for SPAs have limitations, the most prominent one being the restriction of API operations to a single currently logged-in user.
I was wondering if there is a workaround for this. Is there a way to bypass this limitation and let certain users manage other users through Management API?
Thank you.
Hello there @KBar welcome to the community!
Unfortunately, there really isn’t a way to bypass this limitation directly - Instead the best way to go about this is to proxy calls to the Management API via your backend in a way that works for you. This type of architecture is outlined in the following FAQ:
Let us know if you have any follow up questions to this!
Hello, @ty.frith and thank you!
After a bit more research, I settled on building an Express back-end for handling this. node-auth0 makes this super easy with its automatic token refresh. It was literally 5 lines of code and 3 pieces of middleware and it was ready to operate.
Huge props to the team behind the package!
Hey @KBar that’s awesome to hear! Thanks for following up with the community 
Thanks, @ty.frith !
While we’re at it, I wanted to confirm that my understanding and implementation is correct. So node-auth0 is supposed to take care of token management, right? Does it always use the same token until it expires in 24 hours or do I have to configure my back-end in some form? Currently, these are the 5 lines of code my Express server runs that I talked about previously:
const api = require("auth0").ManagementClient;
const { users } = new api({
domain: process.env.DOMAIN,
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET
});
As per the documentation, caching & refreshing tokens is done automatically behind the scenes. But how does it accomplish that? Does it just compare the current timestamp with the one recorded in expires_in before every call? Where is the cache stored? What happens if the server is restarted?