Best practices for creating users in backend DB on new registrations with Auth0

Hi there,

I’m wondering what is the best practice for creating new user records in my backend DB with Auth0?

Read through the documentation and forum, yet haven’t found a definitive answer so want to double-check with the community.

I’m building a web app with an SPA (React) + API (Laravel) scenario and using universal login with Auth0 with both Social (Google) and Database email/password connections, so I can’t use Hooks as they work only with Database but not with Social connection.

For now, I see two options:

  1. Create Rule which will send user data to my API/backend. Backend will check if this is a new user and will create a new user account if so. The user will then proceed with authentication and when that user’s API access token will eventually reach my API from SPA, the DB will already “know” that user.

Pro: I can add information if this is a new or returning user to ID token so SPA will know that right away and can react respectively.
Con: as Rules are synchronous, this can increase user waiting time and if the backend is slow or down in reply, it’ll negatively affect user experience as they will just see loading spinner with no info on what;'s happening until timeout.

  1. Whenever we have an unknown user ("sub’ scope) in JWT accessing the API from SPA, we can trigger Management API to request user details from Auth0 and create a new DB user record respectively.
    Pro: might be faster for user experience, yet SPA won’t know if this is a new or returning user once it gets ID token until API will reply. Yet might be not that big of a deal if we’ll check that right away once SPA received the token from Auth0.
    Con: we need an additional trip to Auth0 Management API and potentially (read: hopefully) can reach rate limits if we have too many concurrent new users (e.g. over 1000 per minute).

So the question is - how you solve that and what is the best practice here?

thanks!

Hi @valb,

Welcome to the Community!

I have also seen both scenarios laid out with similar pros/cons. Great job explaining it. I am going to reach out to the team and see if I can provide a good answer for which is the best practice, or why you should use one scenario vs the other.

I’ll update here when I have a response.

1 Like

One question we have is why you would need a call to the management API at all. You should be able to use the ID token returned from the initial authentication to create a user in your DB.

1 Like

@dan.woda Good point. My perception was that it’s not a best practice to use ID tokens for API authentication, so I haven’t thought this option through.

However, frontend SPA can send 2 tokens in the very first access to the API right after authentication with Auth0:

  1. Access token in Auth bearer header, and
  2. ID token in the request body to share user credentials with the backend API.

That should actually work :+1:

Have I got your idea right?