I have a React application talking to a backend API on HAPI - what should my auth0 flow and setup be? The backend HAPI also will serve IOS and Andriod client apps.
The back-end API will be represented in the APIs section of the dashboard and then all the client applications that want to call them should perform an authorization request (aka including the API audience parameter) in order to obtain an access token suitable to call the respective API. The access token will then be used on each call and since the access token will be in a JWT format the API will be able to validate it without additional calls and in such way allows access to each API operation.
The React application will be represented in the Clients section of the Dashboard and will need to obtain the suitable access token to then call the API.
The following links will be relevant for your use case:
- The React quickstart.
- The Hapi API quickstart - have in mind that this quickstart is community maintained and not formally supported by Auth0.
- The implicit grant reference documentation - given the type of client application a React application is, it will be using this grant so you may want to give a look at the high-level flow.