WebAuth, audience, multiple APIs and scopes

At this time, each request can only specify a single audience so the scopes would also be the ones associated with the specified audience. However, there are some ways where you can handle multiple API’s; which would also impact on how all the scopes would need to be passed.

1. Multiple endpoints as single Auth0 API

If you control all the endpoints/API’s in question and they kind of represent the same or related concepts and are only implemented as distinct endpoints/API’s due to non-functional requirements. For example, you gone the way of micro-services but they still reflect the same business requirements then you can consider representing all of them as single API in Auth0. This would allow for a single authorization request to give you an access token that could then be used at multiple endpoints.

For reference documentation on the above option see How to Represent Multiple APIs Using a Single Auth0 API.

2. Multiple Auth0 API’s with (silent) authorization requests

If you don’t control all the API’s that your client application may need to interact with or they are so distinct that mapping them under a single entity could be difficult then you can consider representing them as separate Auth0 API’s and then perform multiple authorization requests so that your client application received multiple access tokens.

Have in mind that multiple authorization request may not not imply that the user has to perform authentication multiple times. For example, if the first request triggers user authentication but is done in a way that an authenticated session is established at the identity provider (your Auth0 account) then subsequent request can leverage that session and not force the user to authenticate again. In some situations, in particular if none of the API’s in question requires explicit consent from the user then it may even be possible to perform the additional authorization requests without any sort of user interaction; see Silent Authentication.

2 Likes