I am using auth0-js for authentication on my website. I am trying to integrate a new API on the site which I need to be accessible only by authenticated users.
To start, I have set up an API in the auth0 dashboard.
Next, I am following the information in this article which indicates that I can acquire an access token for a “different API than the one used when initializing” (I am using /api/v2/ during initialization).
There doesn’t seem to be clear documentation about authenticating for a second API (audience) using the auth0-js SDK. If anyone could provide guidance it would be very appreciated.
Hi @amos and thanks for reaching out to the Auth0 Community!
From the documentation you’ve linked it looks like you need to include the necessary scopes when making that checkSession() call to your additional API. Have you already attempted to add scopes and if so did you still get a jwt_invalid error?
Per your advice, I tried adding scopes to the checkSession() call. I created a scope via “Permissions” tab on the API dashboard for testing purposes, called access:api. Prior to this I did not have any scopes associated with this API. Are scopes always needed?
Dos your API have Allow Skipping User Consent enabled in the API dashboard? This setting alone wouldn’t be enough however, it would also require the application calling the API to be “First Party”. More on that can be found here:
If those resources don’t help, please send me your tenant in a DM so I can review your tenant configuration and see if I can provide any further feedback.
Looking deeper, I am inclined to believe that part of the problem was testing on localhost.
Testing the above code in my production environment, I no longer get the consent_required error.
Instead, I get two other issues:
In Safari, I get a login_required error, which is likely due to the known cookie issue.
In Firefox/Chrome checkSession() is returning null.
The Firefox/Chrome issue leads me to believe there is still a problem with my setup.
I’m hoping to get this working at least in Firefox/Chrome and then go forward with using a custom domain for support in Safari. Please let know know if you have any insight into the null return.