Using Management API


I know that Management API tokens for SPAs have limitations, the most prominent one being the restriction of API operations to a single currently logged-in user.

I was wondering if there is a workaround for this. Is there a way to bypass this limitation and let certain users manage other users through Management API?

Thank you.

Hello there @KBar welcome to the community!

Unfortunately, there really isn’t a way to bypass this limitation directly - Instead the best way to go about this is to proxy calls to the Management API via your backend in a way that works for you. This type of architecture is outlined in the following FAQ:

Let us know if you have any follow up questions to this!

Hello, @tyf and thank you!

After a bit more research, I settled on building an Express back-end for handling this. node-auth0 makes this super easy with its automatic token refresh. It was literally 5 lines of code and 3 pieces of middleware and it was ready to operate.

Huge props to the team behind the package!

1 Like

Hey @KBar that’s awesome to hear! Thanks for following up with the community :rocket:

Thanks, @tyf !

While we’re at it, I wanted to confirm that my understanding and implementation is correct. So node-auth0 is supposed to take care of token management, right? Does it always use the same token until it expires in 24 hours or do I have to configure my back-end in some form? Currently, these are the 5 lines of code my Express server runs that I talked about previously:

const api = require("auth0").ManagementClient;

const { users } = new api({
  domain: process.env.DOMAIN,
  clientId: process.env.CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET

As per the documentation, caching & refreshing tokens is done automatically behind the scenes. But how does it accomplish that? Does it just compare the current timestamp with the one recorded in expires_in before every call? Where is the cache stored? What happens if the server is restarted?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.