Access API through AUTH0

Hi,

We would like to let our partner access our URL endpoint, it is only available after finish authorization from AUTH0, in our tenant, we have the Machine-to-Machine app setup. What I need to give them, so they can get the access token to call our HTTP endpoints? our API expected the authorization header.

What I have to give my partner?

M2M client ID, client secret, audience, and the auth0 audience.

Thanks,

Hi @raymond.lee

You can see a sample here: https://auth0.com/docs/flows/call-your-api-using-the-client-credentials-flow

This shows what your partner will need to get a token.

John

Thanks John,

From the security point of view, should I create another M2M app in the same tenant and give another set of client id/client secret to our partner (more restricted)? and what API identifier I should give to our partner? the AUTH0 management one or our custom API one?

Thanks,

You should create a M2M app for each partner, and for each separate security context.
You give them the custom API audience.

John

You mean in the same tenant right? but i don’t have to create another custom API app for each partner?

Thanks again.

Hi John,

Is this also the recommended approach for a B2C SaaS service, with thousands of users ? I would end up with thousands of apps in this case.

Thanks,
Luis

Hi @luis.gasca

That sounds complex. I don’t know. I would start by using access tokens and refresh tokens instead of M2M tokens. But there are many things to consider and without all the details I don’t know.

An Auth0 Professional Services engagement may help here.

John