Best secure identifying token? [SPA + Serverless]


I’m using Auth0 to manage and authenticate the use of 3rd Party API. We have the Social connection setup so that users can login with that 3rd party. In our app we need to make authenticated calls to the 3rd party about 60x a sec, usually this would not be a problem, but since our architecture is serverless we would need to call the Management API every call. this would far exceed the Auth0 rate limit, thus we need to cache the social connection access token. We’re using Vercel and redis store to store the access token for that 3rd party, where the key would an identifier and the value being the 3rd party access token.

Once the user logins with loginWithPopup, whats the best way to identify and store the tokens? we would have a /storeToken endpoint that takes a token that would call getUser and send that payload to the DB. Then for the following calls to our api we would pass that same token to lookup in our DB so we can make authenticated 3rd party calls, but between getUser() and getTokenSilently() what is the most secure token to send to that endpoint?

1 Like

Hi ,

Welcome to the Community!

Take a look at this doc, it describes the differences between access tokens and ID tokens.

ID tokens are typically meant to be consumed by your application (the SPA in this case) and access tokens are for the API (your serverless function).

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.