We currently have an architecture where multiple front-end applications connect to an API Gateway that in turn redirects to other APIs (e.g. a “Stage” API).
My question is the following regarding the structuring in Auth0:
For front-ends:
Should we create an Auth0 application for each front-end?
For backend APIs:
Should an Auth0 API correspond to each API (e.g. Stage API)?
Or should we declare a single Auth0 API for the API Gateway, and all other APIs would use the credentials of this API?
In addition, our APIs must be able to create users passwordless.
Is it possible, with the Auth0 PHP SDK, to create a user in passwordless mode via M2M communication?
If not possible, what solution could meet this current need?
Should we create an Auth0 application for each front end?
It’s a good practice to create a separate application in Auth0 for each of your frontends, as they will probably have a different configuration.
For backend APIs:
Should an Auth0 API correspond to each API (e.g. Stage API)?
Or should we declare a single Auth0 API for the API Gateway, and all other APIs would use the credentials of this API?
Currently, we don’t support multiple Audiences, so in this case, it would be best to create an API for the API Gateway and manage it with scopes, with a single audience that will point to the API Gateway.
In addition, our APIs must be able to create users passwordless.
If you enable the passwordless connection for your M2M application but leave Grant Type to Client Credentials Only, you will be able to create a user for passwordless with Management API → the connection parameter will be “email.”