Overview
This article addresses the following question:
- Is there a way to control custom API accessible to only certain Clients and Audiences?
Solution
It is possible to enforce with a Login Action. For example:
exports.onExecutePostLogin = async (event, api) => {
const client = event?.client?.client_id;
const audience = event?.resource_server?.identifier;
if (audience === '[https://restricted-api.api'](https://restricted-api.api'/);) {
if ( !(client === '[CLIENT_ID]') ) {
return api.access.deny("This API can only be accessed by another client");
}
}
};
This code will check if the audience matches the client_id (application), and if it does not, it will prevent the user from logging in.