Fix guide · critical · auth0_management_token

Auth0 Management API token in client code

Why it matters

The Auth0 Management API token grants tenant-wide control: list/create/delete users, modify roles, edit connections, dump user metadata. Full identity-provider compromise.

How to fix it

1. Revoke the token at manage.auth0.com → Applications → APIs → Auth0 Management API → Test → revoke any active grant.
2. Switch to scoped Machine-to-Machine tokens with the minimum permissions your workflow needs. Don't use the master Management API token in any code path.
3. Move all Management API calls server-side. The frontend should only ever interact with the Authentication API (login, signup), never the Management API.
4. Audit logs in Auth0 Dashboard → Monitoring → Logs for unfamiliar API calls during the exposure window.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.