Edit the current users profile without using API Token

I want to allow a user to update profile information from a SPA.

I know I can do this using the OKTA API. I use an API Token from the backend API. However, this creates a security risk if my backend server is compromised.

Is it possible to modified a users profile data by using their JWT token ? i.e. frontend forwards the JWT token to the backend. The backend then updates the users Okta profile data for the application using the JKW for auth i.e. calling /api/v1/users/me.

Can you call “/api/v1/users/me” without using an API token or JWK ?

Does a user have permissions by default to edit all profile values?

Only those that are configured as writable in Okta

You can, if you have an Okta session cookie

what the process for my backend API to call “/api/v1/users/me” on behalf of the user using the frontend users JWT token ?

i.e. user logs into react app using OIDC. They are assigned a JWT by the authorisation server. Now I want to update a profile value using the Users API “/api/v1/users/me”. However, I keep getting 401 errors.

The JWT will need to be issued by the Org Authorization Server (iss = https://org.okta.com) and and have been granted the “okta.user.manage.self” scope, then you can use the token as bearer auth for your API call.

More details about using tokens against Okta endpoints found here: Implement OAuth for Okta | Okta Developer