I have a native android app, normally the user logs in and gets the access token which I can use as a Bearer token for my subsequent API calls - BUT - I don’t force users to login and some API functions are available to non-logged in users Is there a way I can get Auth0 to generate a “generic” accesstoken (for my API audience URL) that I can then attach to each API request from a non-logged in user. I wan’t to enforce that the API calls are coming from my client, but possibly with no login. Or is there a more standard way to handle securing access to an API that can serve both logged in and anonymous users? If I split my API to different endpoints I still wan’t to ensure the anonymous one is not callable by anybody anywhere (just from my client native app).
For that scenario you could say there are two actors involved in the flow that leads to an API call, an end-user that is using the client application and the client application itself. In some situations, the client application if left running could make requests on its own without user interaction, but the user had to start/install the application so lets count that as some sort of user interaction.
If you don’t want to force end-users to authenticate then there’s only one other actor that can provide credentials, however, the client application is a native application that runs on the end-users devices so any secret that could be accessible and used by the application to authenticate a request could also be obtained by a third-party (aka an attacker). In conclusion, ultimately you should accept that the public API part may be called by another party other than your application. You can make it more difficult to do so, for example, an hardcoded API secret on the application code would stop calls from people that don’t want to bother with getting to the API key, but it won’t stop a determined person.