Authorizing third party API access with JWT


We built an API for our application that is authenticated and authorized using JWT from Auth0. It works great!

Now we have a third party application that would like to call these APIs from a SPA on their website.

Is there a standard approach to this? Would this require setting up SAML or OIDC to connect their identity provider to authorize their clients?

Another option might be to create an API the third party would need to call with a hashed userId from their server with an API key/secret that would create a “stub” user and return a JWT?


Hi @joe.a

These are third party apps. You can start here: First-Party and Third-Party Applications

Basically they need to OIDC into your Auth0 tenant to authenticate, you give them back an access token (possibly a refresh token too).


1 Like