Auth0 Home Blog Docs

Best Practice for Public API

api
machine-to-machine-a

#1

We are in the process of implementing Auth0 as the authentication mechanism for a publicly facing API. It seems from the Auth0 documentation shows that we should create a separate application (Machine to Machine) for each client that will be generating Access Tokens for the given API. This all makes sense, and we have this portion up and running. My question is… Is this the best practice for long term / many consumers of the api. It seems that we could quickly have 100s of clients and thus 100s of Applications defined in Auth0 for consumers.

Would enjoy hearing others feedback. Does anyone have a better management strategy? How many MTM applications / consumers do you all have?

Thanks
Brad


#2

Hi Brad.
Your approach is the correct one.
There’s no hard limit on the number of clients defined, but I agree that the Dashboard experience is not ideal at this moment for hundreds or thousands of objects. The API v2 generic endpoints (like “get all applications”) might also be unsuitable for the task, but those that operate by individual client id should work perfectly.

Because of the above at this moment I would recommend that you keep a record of the generated client_ids on your side (e.g. at least a record of which client_id was created for each of your customers), so that you can use the management API to get/update/delete the application by ID without involving the dashboard.

I would also encourage you to leave feedback at https://auth0.com/feedback describing your use case, so that the Product team can prioritize this need over others and put this scenario on the roadmap.

Best,
Nico


#3

Nico,

Thank you for your feedback and the suggestion of us storing the client_id. We do anticipate using the Auth0 v2 api endpoints for some automation in our processes.

Thank you
Brad