I’ve been struggling with a similar question, and have read through the docs, and I believe I understand what is the recommended way to handle this. But I have a lingering question that I’m hoping you can help me with, @luis.rudge.
My setup is, I have a Single Page App that makes API calls to a Node/Express server. I’m using Auth0 for authentication to the app, and trying to also use Auth0 to lock down the API.
My (I realize perhaps mistaken) understanding of the docs is that, in this scenario, the standard thing to do is to make a separate tenant in the Auth0 dashboard that handles securing the API, and then implement a step whereby the client makes a request for an access token to that tenant, receives and access token, and then passes it to the SPA, which checks with auth0 to validate it.
I haven’t quite gotten this working yet, but close. My concern is, it seems the result will be that the user, right after logging in to the app, will be faced with another prompt that says “hey, is it ok to make a call to this API on your behalf?”. Is that right? If so, is there any way to avoid it? Because it seems like a…really unusual user experience, since, from the user’s perspective, there’s just one app, I’d like the existence of an API to be transparent to them if possible.