I'm using Auth0 for sign in/sign up flow and user has possibility to update his profile information.
In order to do that I'm requesting a token from auth0 using URL 'https://YOUR_DOMAIN/oauth/token', sending in payload this sensitive information:
data: {
grant_type: 'client_credentials',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
audience: 'https://YOUR_DOMAIN/api/v2/'
}
which is in plain text visible in Network Request browser.
This is procedure I'm following is here: https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-access-tokens-for-production
So is possible to hide this payload data which contains this sensitive information? Since with this token you can manipulate users data if you know userID.
Or there is some other way to retrieve token from auth0 before updating profile?
You should obtain the new access token from the backend and then also update the users profile from the backend.
Your access_token should be encrypted and can be stored in a cookie or JWT token in the users browser. This is send on every request to your server/backend, you decrypt it and extract some of users info, including the expiration time of the token and the refresh_token.
If the access_token is expired you request a new one using the refresh_token from your backend to the authorization server.
If you are interested I also explain the reason for having access_token and refresh_token here: Why Does OAuth v2 Have Both Access and Refresh Tokens?