Auth0 Home Blog Docs

2 application scenario: MVC and RestAPI



I have a Java MVC application and one RestAPI application. On MVC I have added auth0 integration and I am able to call login page, authenticate, and process callback request.

From this MVC application, I need to call the RestAPI and I want to use same Auth0 user to authenticate on that side and be sure the caller is authorized to complete the request and I was thinking to implement something like that:

  1. on MVC side, I add the Authorization token received from Auth0 into the header (Bearer)
  2. on RestAPI I want to implement a Java Filter to validate the token before to proceed. (i.e. calling the /userinfo api to retrieve userdata and in case of success proceed)

So, for first, is it the proper way to do that? (We did in past in other projects but not sure it is correct), I have seen on the Auth0 dashboard it is possible to authorize application (machine to machine auth) but it is not clear at that point, how to handle user management.
Second thing, I have tested manually and I did not have to add the ClientID or Secret Id to retrieve the user info as soon as I have a valid access token, is there a way to force to add the token for the external RestAPI application to every call?

I really appreciate who will help me and, please, be patient if my request is stupid or repetitive… I read a lot of stuff during last week, it’s Friday, I am tired, and I have to provide feedback about that before “yesterday”…



Hi Andrea.
No need to apologize for questions. This stuff is just complicated at times and, if anything, we at Auth0 and others in the industry need to figure out how to make things simpler for developers.

I would model you scenario like this:

  • One API (a.k.a. “Resource server” in OAuth2 parlance). This represents your Rest API. You give it a unique identifier (e.g. “”). Auth0 will issue JWT access tokens to applications that need to access that API.
    You can define scopes for the API if you want different access levels. See for more information.
    You will code your API so that it inspects and validates the Access Token in every request before allowing access.
  • One or more Applications that will access the API (like your Java MVC applications).

Client applications can, in one request, ask for both an authentication (scope=openid) and an access token that can be used to make requests to the Rest API, using audience={your_api_identifier}.
If the authorization request from the Java MVC app looks like this:

  &scope=openid profile email {and optionally scopes for your API, if any}

The final token response will contain an ID Token with information about the authentication and the user (equivalent to what you get by calling the /userinfo endpoint), and an Access Token, meant to be used for requests to the Rest API, in JWT format (so that the API can validate it).
The aud (audience) in the ID Token is the client ID of the requesting application. The aud in the Access Token, on the other hand, is the identifier of the API for which the Access Token can be used.

The Access Token will contain by default only the sub claim about the user (the user ID). If you need more information about the user in the Rest API side you could add custom claims in the Access Token (see

The machine-to-machine scenario is when you want to let an application access an API without user intervention or approval (so the “subject” of the Access Token is the application itself, not the user).

Hope that helps as a starting point, happy to clarify whatever is needed.