Allowing Specific Client and Audience to Access API


This article addresses the following question:

  • Is there a way to control custom API accessible to only certain Clients and Audiences?


It is possible to enforce with a Login Action. For example:

exports.onExecutePostLogin = async (event, api) => {

const client = event?.client?.client_id;
const audience = event?.resource_server?.identifier;
if (audience === '[https://restricted-api.api'](https://restricted-api.api'/);) {
if ( !(client === '[CLIENT_ID]') ) {
return api.access.deny("This API can only be accessed by another client");

This code will check if the audience matches the client_id (application), and if it does not, it will prevent the user from logging in.