I am in the process of securing my API using Auth0, so far everything seemed to work fine, I followed the steps in this guide here: Tutorial (Except that I used MySQL instead of MongoDB, but I don’t think that should make any difference).
The middleware works because requests without tokens return an error that no token was provided.
But now I have the question how to get a token from my SPA that is valid for the API.
I called the getAccessTokenSilently method and it returned a token.
I have sent this token as an authorization header in my requests as described in the instructions, but I still get a message that no token was provided.
Am I using the wrong token or do I need to configure something differently?
And one last question, I have seen that as soon as I create an API, an application is created with the name of the API + (Test Application) and it is marked as authorized, what exactly is going on with this application and do I possibly need to set my normal SPA app in Auth0 to authorized as well?
Which SDK are you using in particular? What does the token look like when you decode it at jwt.io (it needs to be an access token)? You’ll need to make sure however you are requesting the token you’re including an audience param - This should match the API identifier of your API registered in Auth0. This guide may be helpful.
The system is just creating an application to use to “test” against the API - That is, in API settings there is a “Test” tab that needs an authorized M2M app in order to function. Any M2M app can be used to test, but it creates a default one. Only M2M apps can be “authorized” so no need to worry about the SPA in that sense.