I am building an API that needs to allow users to make calls to it from their website to store tracking data. This means their web client will not be authenticated, but the API needs some way to connect the call to a user.
This kind of thing is inherently insecure, so I just need a simple way to connect API calls to a user. I’ll handle abuse or false data later.
My initial idea was to add a
secret key to the user’s
app_metadata, in hopes that I could do some sort of query on users by
app_metadata. I’d like to do something like this (just using sql as pseudo code here)
SELECT from users where secret = $1;
Then if a user shows up, use their id as ownership for tracking data. If not, return an error to the web client… But then realized I don’t think I have a way to query users by metadata in auth0. I think I saw a way to do some kind of API calls on user signup but this sounds like it would be horrible to test locally.
I could use a “custom database” and just plug into the Postgres db I’m already using for my other data, but that seems like it isn’t recommended and might cause problems down the line.
So I’m just wondering if anyone else has run into this and if there is a recommended way to handle this.