Best practice for passing authorisation to next level api's


I’ve been looking for a while to find out the best practices for nesting several API’s and the authorisation involved… So I have a main API, that access a next level API to get information. In some cases this might be a generic API, that is not really different for each user connecting, but sometimes it might respond different for each user… Hence, it could just be using the same token that is provided to the highest level API…

What is the best practice? just get the token and pass it to the next API in it’s headers? or is there another way? I’m wondering if I’m looking at it in a too simplistic way? It would work, but should it be done that way?

Off course this is only relevant if both services are using the same identity provider, if not, then off course it doesn’t work…

Any insights would be greatly appreciated as I’ve been pondering about this one for a while, and couldn’t find anything explaining the best practice, or i just don’t know what it’s called (if it has a specific name :-))


Sandro Mastronardi

In a relatively similar situation I have a customer-facing API that talks to my back-end API to serve certain kinds of requests. The front end API follows the “Machine to Machine” authorization flow to the back end API and only renews its token when it expires (daily).

In addition I send a custom JWT from the front end api to the back end api in the headers of the request containing user information using HS256. I’m trusting that the front end api would only ever send me JWTs for properly authenticated users, which could be a concern depending on your situation.

I’m using the Auth0 authorization addon so the backend verifies permissions for that user via the authorization addon api, but you could use whatever trusted resource you already have at that point.

Hi Creamsteak,

Thanks… I have not looked into machine to machine communication yet, would I also use that? why not just pass the header from the frontend to the backend and pass on the user info the same way? Imagine if the services are on the same level, and one service needs to request user specific info from a sibling service, wouldn’t it be simplest to just pass the token along and get responses as would be the case when the user themselves would get data from that sibling service?

for example a billing service that gets customer information, but the customer service is also frontend facing…?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?