Api keys for users

Hi,

I would like to give my users an api key (per user). According to the threat How can i generate api keys for users (stored in auth0) with auth0? - #6 by dan.woda this is currently not available.

Is there any update regarding this feature?

I thought that a workaround could be to sign the tokens manually in the server but it seems APIs access tokens must be signed with RSA and Auth0 does not provide the private key.

Note: my API is a Hasura endpoint and it handles authorization and roles through custom claims on the JWT, which is the reason I need to have JWT with custom claims per user.

Any other ideas into being able to provide API keys to my users?

Thanks in advance
Guillermo

Hi @g.padres

API keys are different than access tokens. I think what you want is an access token - which is a JWT (usually).

You can add custom claims to the access token with Auth0 actions or rules.

John

1 Like

Hi John,

We have a webapp that authenticates and afterwards users can get an access token to the API (on the webapp) with custom claims.

Additionally, since we are developing a SDK, we want to give users access to the API by the user having a key (or similar) that they would exchange for an Access Token in our backend. Ie if user holds valid key, backend signs and returns the access token. That was my intention but it seems this is not going to be possible, so I wonder if there is any other options for our case of user API keys to develop a SDK?

Best
Guillermo

Hi Guillermo,

I don’t understand your use case, sorry. You can certainly do what you need here though:
Your backend generates access tokens and signs them.
You configure your API to accept access tokens signed by either your Auth0 tenant or the backend.
This is a pretty standard approach - to configure the middleware to accept multiple signers for access tokens.

But I don’t understand the use case here - it is still not clear to me why the user cannot just authenticate and get an access token. Why do they have to have a key?

Some thoughts: you might check out 3rd party apps:

And you might check out M2M tokens:

One of these might apply in your case.

John

1 Like

Hi,

Sorry, perhaps my writing is not very clear. I hope you bare with me one more time:

For M2M applications, we need to know which organization is the one accessing via the JWT with a custom claim. Is there a way to do this? (Example to have an extra field when requesting the access token that gets passed as a custom claim could be an idea).

As an example, Hubspot gives an API key to the organization, see Access your HubSpot API key.
I thought we could do smth similar where we exchange the key for an access token in the backend. The access token would have the organization identifier as custom claim.

Best
Guillermo

Hi Guillermo,

I think what you need is client credentials (I linked to it above).

Each organization gets their own client credentials application in Auth0, which has a client ID and a client secret.

The organization then uses the client credentials flow to exchange their client ID and secret for a M2M access token. (The client ID and secret really are your “API key”).

The resulting access token has the organizations Client ID as the subject field.

John

Hi John,

When you say each organization gets their own client credentials application, you mean that we have to manually create a client-credentials application for them correct? So we are going to have as many client-credentials applications as we have organizations?

How do we link the Client id to the org id?

Another question, is it possible to customize claims in the Client Credentials tokens?

Thanks
Guillermo