Hi,
We would like to let our partner access our URL endpoint, it is only available after finish authorization from AUTH0, in our tenant, we have the Machine-to-Machine app setup. What I need to give them, so they can get the access token to call our HTTP endpoints? our API expected the authorization header.
What I have to give my partner?
M2M client ID, client secret, audience, and the auth0 audience.
Thanks,
Hi @raymond.lee
You can see a sample here: Call Your API Using the Client Credentials Flow
This shows what your partner will need to get a token.
John
Thanks John,
From the security point of view, should I create another M2M app in the same tenant and give another set of client id/client secret to our partner (more restricted)? and what API identifier I should give to our partner? the AUTH0 management one or our custom API one?
Thanks,
You should create a M2M app for each partner, and for each separate security context.
You give them the custom API audience.
John
You mean in the same tenant right? but i don’t have to create another custom API app for each partner?
Thanks again.
Hi John,
Is this also the recommended approach for a B2C SaaS service, with thousands of users ? I would end up with thousands of apps in this case.
Thanks,
Luis
Hi @luis.gasca
That sounds complex. I don’t know. I would start by using access tokens and refresh tokens instead of M2M tokens. But there are many things to consider and without all the details I don’t know.
An Auth0 Professional Services engagement may help here.
John