API Authentication With Access Token vs. ID Token

I’m currently implementing passwordless authentication with a SPA + API. We’re storing most user information in our DB. My goal is to only allow users to read their own records from the API.

It seems like I can do this using only ID tokens. So the user would hit a link in their email which would redirect to my SPA. The SPA would receive an access token and ID token corresponding to the user. The SPA would then make a call to the API for the user’s details.

Is there any reason I need to use the access token when calling my API? Can I not just pass along the ID token, then check the ID token details and signature in the API before responding?

1 Like

Although you could use id_token’s in your API, this is not the standard and most secure way of securing your API. We have a lot of docs about this, so I’ll leave a few of them so you can take a look. Feel free to ask more questions, if you have any left (our docs are amazing :tada:)

1 Like

I’ve been struggling with a similar question, and have read through the docs, and I believe I understand what is the recommended way to handle this. But I have a lingering question that I’m hoping you can help me with, @luis.rudge.

My setup is, I have a Single Page App that makes API calls to a Node/Express server. I’m using Auth0 for authentication to the app, and trying to also use Auth0 to lock down the API.

My (I realize perhaps mistaken) understanding of the docs is that, in this scenario, the standard thing to do is to make a separate tenant in the Auth0 dashboard that handles securing the API, and then implement a step whereby the client makes a request for an access token to that tenant, receives and access token, and then passes it to the SPA, which checks with auth0 to validate it.

I haven’t quite gotten this working yet, but close. My concern is, it seems the result will be that the user, right after logging in to the app, will be faced with another prompt that says “hey, is it ok to make a call to this API on your behalf?”. Is that right? If so, is there any way to avoid it? Because it seems like a…really unusual user experience, since, from the user’s perspective, there’s just one app, I’d like the existence of an API to be transparent to them if possible.



You don’t need a new tenant, you just need a new application. Have you followed our amazing SPA + API quickstart? It has answers for most of your questions.

About the consent screen: Yes, when you’re trying to authenticate using a third party application, you’ll see the consent screen. There’s more info this here: User Consent and Third-Party Applications

1 Like

Ah, yes, right. Application, not tenant. I did understand that, just used the wrong word.

And, do you mean this one? https://auth0.com/docs/quickstart/spa/vanillajs/03-calling-an-api. This does look helpful, and I had been looking elsewhere. Will give it a try.

Most importantly, in the docs I had been looking at so far, I hadn’t seen that user-consent for first party applications (which is my scenario) can be avoided. Definitely more confident proceeding now that I know that is possible and expected in this scenario.

So, thanks! Much appreciated.

No problem. Let me know if you have more questions :tada: